Most Travel Industry Websites Receive Failing Password Security Grades
by Richard D’Ambrosio /
A digital security company called Dashlane recently claimed that 89 percent of travel industry websites, including some of the world’s leading brands, fail to adequately provide customer password protection.
According to Dashlane, AirBnb was the only one of the 55 travel-related websites it recently reviewed that received a perfect 5/5 score from the company, based on five “critical password and account security criteria.”
The company, whose researchers reviewed travel sites from Apr. 16–20, 2018, said rankings only indicate the security levels of each website with regards to passwords and account protection. For example, some sites allowed Dashlane researchers to set up accounts with alphanumeric passwords like "12345" and "password."
Brand rankings revealed
Dashlane said any score below 4/5 was considered failing “and not meeting the minimum threshold for good password security.” Companies ranked in that group included Hawaiian Airlines, Hilton Hotels, Marriott International, Royal Caribbean and United Airlines.
The majority of the 55 websites reviewed fell into the 3/5 and 2/5 ratings. But, Air Canada, Allegiant Air, American Airlines, Carnival Cruise Lines, Hotwire, TripAdvisor and Trivago all received scores of 1/5. Norwegian Cruise Line garnered a 0/5 rating.
In comparison, in a 2017 Dashlane ranking of non-travel-related consumer websites — including sites like Apple, Facebook, and PayPal — only 36 percent received a failing score.
Tara Lieberman, Trip Advisor's senior public relations specialist, responded to Dashlane's travel industry website study: “TripAdvisor’s password policies are consistent with other similar businesses in our industry and we deploy appropriate security measures to protect our customers.”
“In the instances that we detect fraudulent activity, TripAdvisor’s 24/7 security team and systems take immediate action to safeguard travelers using our site and mobile apps. We take safeguarding our customers’ information seriously. The security landscape is ever-changing, and we are continuously evolving and adopting industry best-practices to ensure we are keeping our customers’ personal information safe.”
"We take seriously the protection of information that belongs to our customers as they access our website," said Andrea Koos, American corporate communications manager. She declined however to comment directly about Dashlane’s report.
Travel Market Report also contacted Marriott, Norwegian and Royal Caribbean about the study, but didn’t receive a reply by press time.
Lieberman also noted how the research “was sponsored by a company that sells password management services and only focuses on a small aspect of the comprehensive security programs that most companies like ours have in place.”
Emmanuel Schalit, CEO at Dashlane, said that given the personal and financial information these sites capture, his firm’s security rankings were designed “to make the modern traveler more aware. The days of worrying about just pickpockets are over, digital thieves are the real threat."
Considerations for travel providers
Dashlane said 96 percent of travel sites tested do not provide two-factor authentication (2FA), and 81 percent do not provide users with a password strength assessment tool during the account creation process.
The travel website category with the worst average score was the cruise industry (1.67/5), Dashlane said, closely followed by online travel agent websites (2/5). On the other end of the spectrum, rental car websites as a group scored the best on average (2.86/5), but across all categories, Dashlane said that industry’s scores were still considered “poor.”
"Big names in the travel industry often come under fire for their physical treatment of customers, receiving public blowback on social media for flight delays, egregious treatment of passengers, or even foodborne illnesses," continued Schalit. "In many cases, the result is a close examination of business practices and positive shift. The travel industry should treat their cybersecurity failings in much the same fashion, and make the necessary changes, such as adding 2FA, in order to protect customers' digital privacy."
Recommendations for travelers
Dashlane recommends that consumers look for websites that require a minimum of eight characters, provide a strength assessment tool, and allow the traveler to create passwords with a mix of case-sensitive letters, numbers, and special symbols. The company believes better sites send the user a confirmation or activation email after an account is created, and do not send a password in plain text.
The company also advises consumers to avoid using passwords that contain common phrases, slang, places, or names; that they use a password manager to help generate, store, and manage passwords; and “under no circumstances should you use an unsecured WiFi connection (e.g. public WiFi) while traveling.”
Dashlane’s password protection app is available on PC, Mac, Android, and iOS.