We research all brands listed and may earn a fee from our partners. Research and financial considerations may influence how brands are displayed. Not all brands are included. Learn more.

Photo illustration by Sarina Finkelstein for mONEY; Getty Images (3)

The vast majority of travelers book their vacations online these days—and now over a third even use their smartphone to make all the arrangements. But how seriously do these booking sites take data security?

As it turns out, not very—at least when it comes to password protection, according to a new report from password manager Dashlane. While companies typically have multiple layers of security, passwords are the “first line of defense, the forgotten hero,” says Ryan Merchant, an author on Dashlane's report.

Of the 55 top travel booking websites Dashlane tested —which included all of the major U.S. airlines, rental car and cruise companies—only apartment/housing rental site Airbnb received top marks for its data security policies around password protection. Hawaiian Airlines, Hilton, Marriott, Royal Caribbean and United Airlines also all passed Dashlane's tests.

But a staggering 89% of the travel sites tested failed, including major booking sites like Expedia and Orbitz. Norwegian Cruises was the worst, coming in dead last in Dashlane’s analysis.

Expedia, Orbitz, and Norwegian Cruises did not immediately respond to requests for comment.

“It’s just baffling in 2018 that every company isn’t implementing basic security requirements for their users,” Merchant says.

The password manager analyzed whether the sites met basic standards when it came to passwords, such as requiring more than eight characters and stipulating that customers use both letters and numbers, while also testing whether sites allowed really weak passwords like 12345 or ‘password.’

From there, Dashlane also evaluated whether the site showed users how strong or weak their password was and if they sent an account verification email. Finally, sites earned credit if they offered two-factor authentication. Only two companies tested did so: Airbnb and hotel site Booking.com.

Dashlane looked at password protocols because it's the most transparent aspect of a company’s data security, Merchant says, saying it can be difficult to discover what companies are doing on the backend. Plus, consumers can’t control how a company defends data from hackers. The only control users have over their data is to have a strong password.

And how a company treats passwords may tell a broader story about their overall security. For example, Orbitz—which failed Dashlane’s test—just suffered a data breach last month. Nearly 900,000 customers may have had their personal information (including credit cards, home addresses and telephone numbers) exposed, according to the booking site.

When using a travel site, Merchant recommends taking the initiative and using a stronger password—one with at least eight characters that’s alphanumeric and even includes special characters. You can also use a password manager like Dashlane, which will create a unique password for each site.

Also, skip the step where you save any credit cards or personal information that’s not required in your account. Many times sites will keep your credit card on file for speedier check-out, but that’s just one more piece of information hackers could have if the account is breached. Finally, if you do use Airbnb and Booking.com, enable two-factor authentication.

“The onus should be on these sites to make sure users just have that extra element of security,” Merchant says.