According to Dashlane’s 2018 Travel Website Password Power Rankings, 89% of travel-related websites leave their users’ accounts exceptionally vulnerable to hackers due to unsafe password practices.

The rankings rate password and account security on 55 of the world’s most popular travel-related sites. Dashlane researchers test each website on five critical password and account security criteria. A site received a point for each criterion it met, for a maximum score of 5/5. Any score below 4/5 was considered failing and not meeting the minimum threshold for good password security.

 Photo by  Anete Lūsiņa

Researchers found that only 11% (6/55) passed with a score of 4/5 or better, and only one travel-related website - Airbnb - received a perfect score. Unlike Airbnb, other commonly used travel websites like American Airlines, Hotwire, and Carnival Cruise Lines received a score of 1/5. One website, Norwegian Cruise Lines, ranked 0/5; meaning it did not meet a single one of the critical password and account security criteria.

The failing websites even allowed Dashlane researchers to set up accounts with alphanumeric passwords “12345” and “password.”

“Big names in the travel industry often come under fire for their physical treatment of customers, receiving public blowback on social media for flight delays, egregious treatment of passengers or even food-borne illnesses,” Dashlane CEO Emmanuel Schalit said in a statement. “In many cases, the result is a close examination of business practices and positive shift. The travel industry should treat their cybersecurity failings in much the same fashion, and make the necessary changes.”

Critical Security Lapses

Travel sites failed to protect user data in three major ways:

1. 2FA failings: 96% travel sites tested do not provide 2FA (two-factor authentication). The security benefits of enabling 2FA are well documented. In fact, Dashlane recommends enabling 2FA on all sensitive accounts.

2. Dashlane found that 81% of travel sites did not provide users with password strength assessment tools during the account creation process.

3. Poor security practices: When compared to results of Dashlane’s 2017 rankings of leading consumer websites, travel sites performed especially poorly. In the consumer rankings, which examined sites such as Apple, Facebook, and PayPal, only 36% received a failing score. That is a stark contrast to the 89% of sites that failed Dashlane’s 2018 travel examination.

Best Security Practices

There are a few simple actions that consumers can take to improve their online security:

  • Use a unique password for every online account.
  • Generate passwords that exceed the minimum of 8 characters.
  • Create passwords with a mix of case-sensitive letters, numbers and special symbols.
  • Avoid using passwords that contain common phrases, slang, places or names.
  • Use a password manager to help generate, store and manage your passwords.
  • Under no circumstances should you use an unsecured Wi-Fi connection (e.g. public Wi-Fi) while traveling.

“I believe that traveling is the single greatest opportunity to de-stress from daily life and broaden our horizons,” stated Schalit “However, the modern traveler has to reckon with the many digital hazards associated with a journey—from booking flights, to reserving hotel rooms, to renting a car or looking online for recommendations—which creates many chances for personal data to become compromised. Our intention in ranking travel sites is not to scare people away from one of life’s greatest pleasures, but to make the modern traveler more aware. The days of worrying about just pickpockets are over. Digital thieves are the real threat.”


Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.