That’s the nice thing about unique-per-site strong passwords: no other site can leak it. Alaska can’t leak it (despite all their IT challenges, I trust they don’t store the passwords in a recoverable form). Even I can’t leak it, because I don’t have the slightest idea what it is. Only my password manager app knows it. And I am certainly not going to look at it and then manually type it into a hotel business center shared computer

The way leaks often work is that people sign up for some obscure site for some odd one-time purchase or to comment on some forum post. They reuse a password they use elsewhere, not realizing how that obscure site may not have the IT staff or knowledge to maintain their software or implement secure solutions. I have had this discussion countless times with friends and family who just don’t understand or appreciate the risk.

The confirmation email accomplishes basically the same as the notification, no? Unless you don’t read your email on a regular basis, of course, or the fraudulent reservation is for more or less immediate travel.

And a notification that requires approval of a transaction comes with challenges: I manage all my wife’s loyalty accounts. I book our travel out of both of our accounts. But she isn’t always sitting next to me with her phone, so how would this work? I sometimes face this exact challenge with financial accounts. Fortunately I am a buy-and-hold investor in boring ETFs, so I access her accounts mostly to review account balances, download statements, and occasionally transfer funds. Some financial companies have started offering “authorized user” privileges, i.e., I can use my own account credentials to see and transact on her account. Loyalty programs would need something like this for families and maybe even business travelers (EA managing travel for boss).