How Hackers Steal Passwords on Public Wi-Fi

You've heard the warning your whole life: don't do anything important on public Wi-Fi, because someone nearby could be pulling your passwords straight out of the air. That used to be exactly true. It mostly isn't anymore — and the reason it stopped being true is the reason the real attack got so much quieter. This video follows Sam, working from a coffee shop, and Kim, a penetration tester the café actually hired to test its network. Years ago Kim could have opened Wireshark, watched the traffic float past, and read Sam's password as plain text. Today almost every real site runs HTTPS, so the same capture arrives as unreadable noise. So we walk through what a 2026 attacker does instead, one step at a time. First the reconnaissance: encryption hides the contents of your traffic but not its shape, and the DNS lookups leaking off an open network name every site your phone reaches — a profile, not a password. Then the pivot that matters — Kim stops listening and becomes the network, standing up a rogue access point with the café's exact name and a stronger signal, because a phone recognizes a network only by its name and reconnects on its own. From there: the KARMA problem of remembered names that sit on millions of phones, the captive portal — that "sign in to continue" page we've been trained to accept — asking Sam to type his real password into a page Kim wrote, the narrower but real world of SSL stripping and lookalike domains, and finally how a stolen password or session cookie gets spent that night from home, where nothing looks out of place because by every check the system runs, it was Sam. We close on the two defenses that actually change the outcome: a VPN that turns a rogue access point into a tunnel it can't read, and passkeys, which have no password to phish and refuse to sign in on a domain that isn't the real one. Like every video on this channel, this shows how the attack is built, not how to run it. The point is to understand the weakness, not hand it over. public Wi-Fi security · why HTTPS changed password sniffing · evil twin / rogue access point attacks · the KARMA attack and remembered network names · captive portal phishing with Wifiphisher · SSL stripping (sslstrip) and its shrinking surface · session cookie reuse and account takeover · how VPNs and passkeys actually stop it. ⚠️ Educational, defensive security. Nothing here is a usable exploit. CHAPTERS 0:00 The warning you half-remember 1:00 What the air still gives away 1:50 Becoming the network (evil twin) 2:56 When your phone volunteers (KARMA) 3:45 The page that asks nicely 4:38 Stripping the padlock 5:43 Spent somewhere else 6:20 The name was never proof