You are at an airport, your phone battery has died, and you need to check your boarding confirmation. The hotel business centre has a computer available. Your bank needs you to complete a verification process and you are far from home without your laptop. These situations are common, and public computers seem like a convenient solution. They are also one of the higher-risk computing environments most ordinary people will encounter.
This guide will not tell you to simply avoid public computers — sometimes you genuinely have no other option. It will tell you exactly how to use them with the maximum possible safety, what never to do on them, and how to check and clean up afterwards.
Understanding the actual risks
Keyloggers. A keylogger is software that records every key pressed on a device and either stores the log locally for later retrieval or transmits it remotely in real time. Keyloggers can be installed on public computers by previous users, by malicious parties who have had physical access to the machine, or sometimes even by the organisation operating the computer for monitoring purposes. A keylogger would capture every character of any password you type.
Pre-installed malware. A public computer that has been compromised may have malware that goes far beyond keylogging: screen capture software that records what you are doing visually, clipboard monitoring that captures anything you copy, session hijacking tools that can steal authenticated sessions from your browser, or data exfiltration tools that copy files you download or upload.
Cached credentials. Browsers save usernames and passwords, autocomplete entries, and session cookies by default. A previous user may have saved their credentials in the browser, or may have failed to log out of an account. Their residual session data might still be active. Conversely, your session data from the current use might be visible to the next person who sits down if you do not clear it.
Shoulder surfing. Physical surveillance — someone watching what you type or looking at your screen — is a real risk in public environments. Position yourself so that your screen is not visible to people behind or beside you. Be particularly careful when entering passwords.
Outdated software. Public computers are often infrequently maintained. They may be running outdated versions of Windows, outdated browsers, or unpatched software with known vulnerabilities. This makes them more susceptible to drive-by malware and browser-based attacks.
What you should never do on a public computer
Some activities carry risk levels that no precaution can adequately mitigate. These are the activities that belong on your own devices only:
- Online banking, investment accounts, or any financial transaction — the combination of keylogging risk and session hijacking risk makes this particularly dangerous
- Entering payment card details for any purpose
- Logging into your primary email account — remember, email is the key to every other account
- Accessing work systems, VPNs, or corporate networks
- Any activity involving your password manager — do not install it, log into it, or copy credentials from it on a public computer
- Saving any document containing personal information to the device
- Allowing the browser to save any password or fill any form automatically
How to use a public computer when you must
If you must use a public computer for something that involves logging into an account, follow these steps in order. First, open an incognito or private browsing window. This prevents the browser from saving your history, cookies, login sessions, and form data. On Chrome: press Ctrl+Shift+N. On Firefox: Ctrl+Shift+P. On Edge: Ctrl+Shift+N. On Safari: Cmd+Shift+N.
Second, never allow the browser to save your password when prompted. If the browser asks, always choose “Never for this site” or click the X to dismiss the dialogue.
Third, when you are finished, explicitly log out of every account you have accessed. Not just close the tab or the browser — find the logout button in each account and use it. This terminates your session on the server side, meaning that even if session cookies remain on the computer temporarily, they will be invalid.
Fourth, before leaving, open the browser settings and manually clear all browsing data — history, cookies, cached images, and form data. In most browsers this is accessible through Settings → Privacy or Settings → History → Clear Browsing Data. Set the time range to “All time” to ensure nothing is missed.
Your phone is almost always the better option
In the vast majority of situations where you might consider using a public computer, your smartphone is a significantly safer alternative. Your phone runs software you control, has your security settings configured as you choose, does not have other people’s session data on it, and is not running unknown monitoring software.
If you need internet access and your phone battery is low, finding a wall socket to charge it for a few minutes while using it is almost always preferable to switching to a public computer. If you need a larger screen for a task, connecting your phone to an available monitor via a cable (if available) gives you your phone’s security with a larger display.
If you travel frequently and find yourself regularly needing internet access without your laptop, a small portable charger (power bank) that can charge your phone is a worthwhile investment that eliminates the public computer scenario entirely for most use cases.
After using a public computer: what to do
Once you are back on your own device, check the recent activity on any account you accessed from the public computer. Most services show a log of recent logins with the device type and location. Verify that no suspicious subsequent logins have occurred. If you see any activity you did not initiate, change the password for that account immediately and enable two-factor authentication.
If you logged into anything financial on a public computer despite the guidance above, contact your bank or financial institution and inform them. Consider changing the password for that account as a precaution regardless of whether you see suspicious activity.