It's 2026. You Can Use the Guest WiFi.
security-culture hacklore practical-security
I was connecting to guest WiFi the other day when a technology professional nearby commented that he “guessed it was okay.”
I mentioned that most traffic is encrypted now, so it’s not the risk it used to be. He countered with device isolation, how you can’t trust the WiFi provider to segment the network properly.
I thought about it for a second. Then I dropped it.
Not because he was right. Because I recognized the pattern.
We Have a Word for This Now
In November 2025, a group of over 100 CISOs, security leaders, and practitioners published an open letter at hacklore.org. The letter formally asks the security community, journalists, and policymakers to stop promoting what they call “hacklore”: catchy but inaccurate security advice that sounds smart but doesn’t reflect current reality.
Public WiFi is item number one on their list.
The signatories aren’t fringe voices. This is Jen Easterly (former CISA Director), Alex Stamos (former CSO of Facebook and Yahoo), Heather Adkins (Google), Parisa Tabriz (Google Chrome), Bob Lord (former CISO of Yahoo and the DNC), Tony Sager (former NSA), and dozens more. CISOs from Microsoft, LinkedIn, Okta, Pinterest, Block, DigitalOcean. People who have actually responded to large-scale compromises.
Their position is clear: large-scale compromises via public WiFi are exceedingly rare today. Modern products use encryption to protect traffic even on open networks. Operating systems and browsers warn users about untrusted connections. The threat model has changed. The advice hasn’t.
The Problem Isn’t Being Wrong. It’s Burning Credibility.
Here’s what bothered me about that interaction. It wasn’t that the guy was technically incorrect about device isolation being a real concept. It is. But it’s a network architecture concern, not a reason to avoid guest WiFi in 2026. He took a legitimate but narrow technical point and used it to justify blanket advice that the security community’s own leaders have publicly retired.
This is what hacklore does. It takes a kernel of something that was once true (or is true in a very specific context) and turns it into universal guidance that people repeat to sound knowledgeable.
And here’s the part that actually matters: every time a security person gives someone outdated advice with confidence, they make it harder for the rest of us. When that same person later tries to get someone to enable MFA or use a password manager, the credibility is already spent. Why would anyone listen? The last security advice they got was to be afraid of WiFi.
We have a limited window of attention with the people we’re trying to protect. Every time we waste it on retired threats, we lose ground on the stuff that actually matters.
The Real List
The hacklore letter doesn’t just call out bad advice. It replaces it with what actually works. Their recommendations are boring, proven, and effective:
Keep your devices and critical apps updated. Enable multi-factor authentication, ideally passkeys. Use strong, unique passphrases (16+ characters, never reused). Use a password manager.
That’s it. Not exotic. Not impressive at a dinner party. But these are the things that actually prevent compromises for everyday people and small businesses.
Compare that to the retired list: avoid public WiFi, never scan QR codes, don’t charge from public USB ports, turn off Bluetooth, regularly clear cookies, change passwords constantly.
All of it sounds proactive. None of it meaningfully reduces risk in 2026. And worse, it consumes the limited time and attention people have for security. If someone spends their energy avoiding WiFi and clearing cookies, they’re not setting up a password manager.
Why Security People Keep Doing This
I think hacklore persists for two reasons.
First, it’s easy. Telling someone to avoid public WiFi takes five seconds and requires no follow-up. Helping someone set up MFA on their three most important accounts takes time and patience. Hacklore is low-effort advice disguised as expertise.
Second, it signals identity. Saying “I’d never connect to public WiFi” tells the room you’re a security person. It’s a badge. It doesn’t matter that the actual risk is negligible. It feels like security, and that’s enough.
This is the same dynamic I wrote about in “Security Theater vs. Security.” The appearance of protection becomes more important than actual protection. It happens with tools, it happens with policies, and it happens in casual conversations at conferences.
What to Do Instead
If you’re in security, read the hacklore letter. Check the list against your own habits. Most of us have repeated at least one of these without thinking about it.
Then do the harder thing: give advice that’s proportional to actual risk. Help someone set up a password manager instead of warning them about QR codes. Talk about passkeys instead of password rotation. Spend your credibility on the things that will actually keep people safe.
And if someone connects to guest WiFi in front of you? Maybe just let them.
Ready to Secure Your Growth?
Whether you need an executive speaker for your next event or a fractional CISO to build your security roadmap, let's talk.
Consulting services are delivered through Vaughn Cyber Group.
