You open your email and see an urgent message titled 'Account Update Required'.
It claims to be from your bank, but something feels off...
Safeguarding data has never been more important.
Many people turn to password protection for document security, but is it enough?
In most cases, the answer is no, password protection is not secure enough against people with malicious intent.
Password protection can be handy for keeping casual snoopers at bay or adding a simple layer of security for documents that aren't super sensitive, but it isn't as 'protected' as you might think.
A password-protected document is a file with restricted access.
For instance, imagine you’re a business owner sending a confidential contract to a partner.
You use a password to make sure only they can view it, asking them to input a specific combination of characters to access the file.
Password Protection on a Mac, Wired, 2024
You can password-protect many types of files, including Microsoft Word or Google Docs, PDFs, spreadsheets, and presentations.
This feature is commonly used in scenarios where sensitive or proprietary information needs to be shared 'securely' (or so users assume).
The security you get from a password depends on the software and the strength of the password—its length and complexity.
And password protect, as a mechanism, can offer weak security even with a strong password.
"Relying on password-protected documents alone is akin to installing a simple padlock on a gate in a high-security area.
While it may deter casual passers-by, it does little to stop determined intruders who can easily exploit weaknesses, such as poor password management or outdated encryption methods.
Businesses need to think beyond this to truly protect sensitive data."
— Mike Wakefield, CTO, Beyond Encryption
As a writer and researcher in cybersecurity, I’ve often come across cases where reliance on password protection led to serious data breaches.
According to Adobe, 63% of businesses use password-protected documents to send information outside and inside their organisations.
This widespread use is because it's so easy to use, budget-friendly, and gives the impression of adding a quick security boost to shared documents.
Some of the most shared business document types include:
When you protect documents with a password, the contents are encrypted (with different levels of protection depending on the software being used).
The theory is that only those with the right password can open the file.
Most often though, it’s like putting a lock on a 5-foot fence.
Most encryption used in these cases stops casual access.
But it doesn’t do much against determined attackers like hackers, who use sophisticated tools to breach files, or malicious insiders, who might already have access to sensitive systems or information.
Here’s a quick summary of the core problems with password-protected documents:
Let’s explore these issues in more detail:
To share a password-protected file, you must also share the password with the recipient.
Most of the time, you’ll send a separate email with that password.
If the recipient’s email account is compromised, a third party can grab the password and unlock the document.
Many document formats that allow password protection use weak encryption methods.
Older versions of Microsoft Office, for instance, can be cracked easily with the right tools.
In 2022, a flaw in Microsoft Office 2010 let hackers bypass password protection with free software, showing the risks of outdated systems.
"Using outdated encryption methods is like trusting a rusty lock to protect a treasure chest.
It’s simply not enough in today’s threat landscape."
— Adam Byford, CCO, Beyond Encryption
The security of a password-protected file depends on the strength of the password.
That’s why many companies are moving away from passwords.
Research shows that compromised login details may lead to up to 80% of successful data breaches.
Many people pick weak or easy passwords, which can be brute-forced and broken in seconds.
The software used to create and open password-protected files can have known weaknesses.
Hackers can bypass password protection by using these exploits.
In 2023, a flaw in Adobe Acrobat let attackers remove passwords from encrypted PDFs, showing how outdated software risks sensitive data.
Unlike stronger document security methods, password protection doesn’t support two-factor authentication.
It relies on the password only.
Two-factor authentication (2FA) asks for a password plus a second factor, like a code sent to a phone or a fingerprint scan.
Weak security can leave your password-protected files open to various digital threats.
Data interception happens when someone unauthorised snatches data in transit or on email servers.
Hackers can do this by breaking into servers, using flaws in email protocols, or scanning unsecured networks.
Once they get hold of an email with a password-protected file, they can often crack the password using common tools.
Some online tools can remove or bypass a document’s password, especially if it’s protected by outdated encryption.
Many password-cracking tools are free and easy to find.
Password-protected documents can fall victim to brute force attacks, where a program tries different passwords until it finds the right one.
Research shows that by using ChatGPT, an attacker can break an 8-digit password with upper and lowercase letters almost instantly.
Criminals can also trick people into revealing passwords.
This is called social engineering.
They may use phishing emails that look like they’re from a trusted source, so users hand over private information by mistake.
Security isn’t the only drawback to password-protecting your files.
There are other issues too.
Many businesses and customers struggle with sending and receiving password-protected files.
It takes extra time to protect a file with a password and then send a separate email with that password.
There can also be compatibility issues when opening the file.
In regulated industries, such as financial services, rules like MiFID II require the recording and storage of certain communications.
Where accountability and transparency matter, audit trails help identify and reduce risks such as fraud, mistakes, and transaction errors.
When you share password-protected documents, you don’t get a record of who accesses them.
If you forget the password for a protected file, you might be permanently locked out.
This is different from an online account, where you can reset a password.
Most files don’t let you regain access if you lose the password.
Strangely, the ease of using malicious software to crack the file can become a “solution” if you forget your password.
That doesn’t say much about the security!
If you want a different way to send sensitive documents securely, there are a few options.
Print, pack, and post are still used for business communications, but both businesses and consumers are moving to digital channels because of:
Plus, though a recorded delivery postal service might be a bit more secure than password protection, paper documents that pass through many hands aren’t always safe.
Many companies use web-based portals as central hubs where customers can interact and share files.
These portals let businesses and customers upload and download documents more safely than emailing a password-protected file.
But there are downsides:
Read more about the drawbacks of post and portals.
Secure email solutions can help to protect sent documents from being intercepted or changed.
They also help make sure information reaches the right people only.
Secure email often comes with features like:
Using a secure email solution instead of sending password-protected files has several key advantages:
Unlike password-protected documents, secure email can deliver all your information in a single message.
There’s no need to send another message with the password to unlock it.
It also works on all devices.
A secure email can be sent with a few clicks (depending on the provider).
This saves time and reduces mistakes.
Secure email can boost engagement because most people already check their inboxes every day.
Other factors such as the relevance of the content and user preferences for communication methods can also play a significant role in driving engagement.
Many users report that timely and personalised messages significantly enhance their interaction with secure emails.
Password-protected files may protect your outbound data, but they don’t do much for return communications.
Secure email fixes this gap by letting your recipients reply securely to any emails or attachments you send.
Password-protected documents might not quite meet the security and usability needs that today’s users and businesses are looking for.
Weak encryption, password reliance, and vulnerability to brute force or social engineering attacks make them unsuitable for sensitive information.
Handling and sharing these files can slow you down and leave no record of who accessed them, which is important for certain regulations.
Secure email solutions may offer a safer and more effective solution.
With strong encryption, easy-to-use design, and extra security steps, they keep data safe while making communication easy for all involved.
Picking a solution that balances security and convenience is key, but different security solutions have varying trade-offs and use cases.
You can explore various resources to find a secure platform that fits your needs, including our review of the best secure email services.
Why Should Businesses Password Protect Their Documents?, Adobe Blog, 2023
Truth about Passwordless Authentication, OneIdentity, 2024
MiFID II Guidance, European Securities and Markets Authority, 2024
Verizon's Data Breach Investigations Report, Verizon, 2023
Are Your Passwords in the Green?, Hivesystems, Jan 2024
What’s the Price of a Stamp?, Priceofastamp.co.uk, 2024
Royal Mail Delays Affecting Millions, Citizens Advice, 2023
Why Patients Aren't Using Portals, AMA, 2023
Sam Kendall, 03.01.25
Sabrina McClune, 12.06.24