The vast majority of travelers book their vacations online these days—and now over a third even use their smartphone to make all the arrangements. But how seriously do these booking sites take data security?

As it turns out, not very—at least when it comes to password protection, according to a new report from password manager Dashlane. While companies typically have multiple layers of security, passwords are the “first line of defense, the forgotten hero,” says Ryan Merchant, an author on Dashlane’s report.

Of the 55 top travel booking websites Dashlane tested —which included all of the major U.S. airlines, rental car and cruise companies—only apartment/housing rental site Airbnb received top marks for its data security policies around password protection. Hawaiian Airlines, Hilton, Marriott, Royal Caribbean and United Airlines also all passed Dashlane’s tests.

But a staggering 89% of the travel sites tested failed, including major booking sites like Expedia and Orbitz. Norwegian Cruises was the worst, coming in dead last in Dashlane’s analysis.

Expedia, Orbitz, and Norwegian Cruises did not immediately respond to requests for comment.

“It’s just baffling in 2018 that every company isn’t implementing basic security requirements for their users,” Merchant says.

The password manager analyzed whether the sites met basic standards when it came to passwords, such as requiring more than eight characters and stipulating that customers use both letters and numbers, while also testing whether sites allowed really weak passwords like 12345 or ‘password.’

From there, Dashlane also evaluated whether the site showed users how strong or weak their password was and if they sent an account verification email. Finally, sites earned credit if they offered two-factor authentication. Only two companies tested did so: Airbnb and hotel site Booking.com.