Is Password-Protecting a Document Secure?

You open your email and see an urgent message titled 'Account Update Required'.

It claims to be from your bank, but something feels off...

Safeguarding data has never been more important.

Many people turn to password protection for document security, but is it enough?

In most cases, the answer is no, password protection is not secure enough against people with malicious intent.

Password protection can be handy for keeping casual snoopers at bay or adding a simple layer of security for documents that aren't super sensitive, but it isn't as 'protected' as you might think.

What Is a Password-Protected Document?

A password-protected document is a file with restricted access.

For instance, imagine you’re a business owner sending a confidential contract to a partner.

You use a password to make sure only they can view it, asking them to input a specific combination of characters to access the file.

Password Protection on a Mac, Wired, 2024

You can password-protect many types of files, including Microsoft Word or Google Docs, PDFs, spreadsheets, and presentations.

This feature is commonly used in scenarios where sensitive or proprietary information needs to be shared 'securely' (or so users assume).

The security you get from a password depends on the software and the strength of the password—its length and complexity.

And password protect, as a mechanism, can offer weak security even with a strong password.

"Relying on password-protected documents alone is akin to installing a simple padlock on a gate in a high-security area.

While it may deter casual passers-by, it does little to stop determined intruders who can easily exploit weaknesses, such as poor password management or outdated encryption methods.

Businesses need to think beyond this to truly protect sensitive data."

— Mike Wakefield, CTO, Beyond Encryption

As a writer and researcher in cybersecurity, I’ve often come across cases where reliance on password protection led to serious data breaches.

How Much Is Password Protection Used?

According to Adobe, 63% of businesses use password-protected documents to send information outside and inside their organisations.

This widespread use is because it's so easy to use, budget-friendly, and gives the impression of adding a quick security boost to shared documents.

Some of the most shared business document types include:

• Financial documents
• Contracts
• Reports
• Non-disclosure agreements
• Insurance documents

Why Is Password Protection Not Secure?

When you protect documents with a password, the contents are encrypted (with different levels of protection depending on the software being used).

The theory is that only those with the right password can open the file.

Most often though, it’s like putting a lock on a 5-foot fence.

Most encryption used in these cases stops casual access.

But it doesn’t do much against determined attackers like hackers, who use sophisticated tools to breach files, or malicious insiders, who might already have access to sensitive systems or information.

Here’s a quick summary of the core problems with password-protected documents:

• They provide only partial security, as sharing passwords can lead to vulnerabilities.
• Encryption methods used in some document formats are often weak and outdated.
• The level of protection depends entirely on the strength of the chosen password.
• Software exploits can allow hackers to bypass password protections.
• They lack two-factor authentication, leaving them more exposed to breaches.

Let’s explore these issues in more detail:

Offers Partial Security

To share a password-protected file, you must also share the password with the recipient.

Most of the time, you’ll send a separate email with that password.

If the recipient’s email account is compromised, a third party can grab the password and unlock the document.

Encryption Is Often Weak

Many document formats that allow password protection use weak encryption methods.

Older versions of Microsoft Office, for instance, can be cracked easily with the right tools.

In 2022, a flaw in Microsoft Office 2010 let hackers bypass password protection with free software, showing the risks of outdated systems.

"Using outdated encryption methods is like trusting a rusty lock to protect a treasure chest.

It’s simply not enough in today’s threat landscape."

— Adam Byford, CCO, Beyond Encryption

Password Strength Dependent

The security of a password-protected file depends on the strength of the password.

That’s why many companies are moving away from passwords.

Research shows that compromised login details may lead to up to 80% of successful data breaches.

Many people pick weak or easy passwords, which can be brute-forced and broken in seconds.

Known Software Exploits

The software used to create and open password-protected files can have known weaknesses.

Hackers can bypass password protection by using these exploits.

In 2023, a flaw in Adobe Acrobat let attackers remove passwords from encrypted PDFs, showing how outdated software risks sensitive data.

Lacks Two-Factor Authentication

Unlike stronger document security methods, password protection doesn’t support two-factor authentication.

It relies on the password only.

Two-factor authentication (2FA) asks for a password plus a second factor, like a code sent to a phone or a fingerprint scan.

The Potential Risks of Sharing Password-Protected Documents

Weak security can leave your password-protected files open to various digital threats.

Data Interception

Data interception happens when someone unauthorised snatches data in transit or on email servers.

Hackers can do this by breaking into servers, using flaws in email protocols, or scanning unsecured networks.

Once they get hold of an email with a password-protected file, they can often crack the password using common tools.

Password Recovery Tools

Some online tools can remove or bypass a document’s password, especially if it’s protected by outdated encryption.

Many password-cracking tools are free and easy to find.

Brute Force Attacks

Password-protected documents can fall victim to brute force attacks, where a program tries different passwords until it finds the right one.

Research shows that by using ChatGPT, an attacker can break an 8-digit password with upper and lowercase letters almost instantly.

Social Engineering

Criminals can also trick people into revealing passwords.

This is called social engineering.

They may use phishing emails that look like they’re from a trusted source, so users hand over private information by mistake.

Other Issues with Password-Protecting Documents

Security isn’t the only drawback to password-protecting your files.

There are other issues too.

Reduced Efficiency

Many businesses and customers struggle with sending and receiving password-protected files.

It takes extra time to protect a file with a password and then send a separate email with that password.

There can also be compatibility issues when opening the file.

Lack of Recording

In regulated industries, such as financial services, rules like MiFID II require the recording and storage of certain communications.

Where accountability and transparency matter, audit trails help identify and reduce risks such as fraud, mistakes, and transaction errors.

When you share password-protected documents, you don’t get a record of who accesses them.

Risk of Loss

If you forget the password for a protected file, you might be permanently locked out.

This is different from an online account, where you can reset a password.

Most files don’t let you regain access if you lose the password.

Strangely, the ease of using malicious software to crack the file can become a “solution” if you forget your password.

That doesn’t say much about the security!

How Can You Send Documents Securely?

If you want a different way to send sensitive documents securely, there are a few options.

Traditional Postal Mail

Print, pack, and post are still used for business communications, but both businesses and consumers are moving to digital channels because of:

• Rising Expenses: The cost of a first-class letter has gone up by 78% in the last four years.
• Unreliable Service: Letter delays have affected over 15 million people in the last year.
• Environmental Impact: Every tonne of post creates around 3 tonnes of CO2e.
• Convenience: Digital channels allow instant communication and remove the need for physical handling, saving time for both sender and recipient.
• Tracking: Many digital platforms provide real-time tracking and delivery confirmation, improving reliability and transparency.

Plus, though a recorded delivery postal service might be a bit more secure than password protection, paper documents that pass through many hands aren’t always safe.

Customer Document Portals

Many companies use web-based portals as central hubs where customers can interact and share files.

These portals let businesses and customers upload and download documents more safely than emailing a password-protected file.

But there are downsides:

• Portals still rely on passwords for account access: If a user’s login is stolen, documents stored there are at risk.
• They often show low engagement: Studies say 70% of customers don’t use them and prefer more direct methods of communication.
• Some find portals unintuitive, especially older users: They report problems like small text and confusing menus.

Read more about the drawbacks of post and portals.

Secure Email Solutions

Secure email solutions can help to protect sent documents from being intercepted or changed.

They also help make sure information reaches the right people only.

Secure email often comes with features like:

• Military-grade encryption for emails and attachments.
• Multi-factor authentication, so readers have to pass identity checks.
• Audit trails, to record every time a sender or recipient gains access.

The Advantages of a Secure Email Solution

Using a secure email solution instead of sending password-protected files has several key advantages:

Greater Efficiency

Unlike password-protected documents, secure email can deliver all your information in a single message.

There’s no need to send another message with the password to unlock it.

It also works on all devices.

A secure email can be sent with a few clicks (depending on the provider).

This saves time and reduces mistakes.

Heightened Engagement

Secure email can boost engagement because most people already check their inboxes every day.

Other factors such as the relevance of the content and user preferences for communication methods can also play a significant role in driving engagement.

Many users report that timely and personalised messages significantly enhance their interaction with secure emails.

Two-Way Security

Password-protected files may protect your outbound data, but they don’t do much for return communications.

Secure email fixes this gap by letting your recipients reply securely to any emails or attachments you send.

Password Protect: A Lack of Security, a Lack of Usability

Password-protected documents might not quite meet the security and usability needs that today’s users and businesses are looking for.

Weak encryption, password reliance, and vulnerability to brute force or social engineering attacks make them unsuitable for sensitive information.

Handling and sharing these files can slow you down and leave no record of who accessed them, which is important for certain regulations.

Secure email solutions may offer a safer and more effective solution.

With strong encryption, easy-to-use design, and extra security steps, they keep data safe while making communication easy for all involved.

Picking a solution that balances security and convenience is key, but different security solutions have varying trade-offs and use cases.

You can explore various resources to find a secure platform that fits your needs, including our review of the best secure email services.

References

Why Should Businesses Password Protect Their Documents?, Adobe Blog, 2023

Truth about Passwordless Authentication, OneIdentity, 2024

MiFID II Guidance, European Securities and Markets Authority, 2024

Verizon's Data Breach Investigations Report, Verizon, 2023

Are Your Passwords in the Green?, Hivesystems, Jan 2024

What’s the Price of a Stamp?, Priceofastamp.co.uk, 2024

Royal Mail Delays Affecting Millions, Citizens Advice, 2023

Why Patients Aren't Using Portals, AMA, 2023

Reviewed by

Sam Kendall, 03.01.25

Sabrina McClune, 12.06.24