Is Password-Protecting A Document Secure?

Safeguarding data is more important than ever, with consumers and businesses now regularly exposed to online risks such as data breaches and cyber-attacks. Many people use password-protection to ensure the confidentiality and integrity of sensitive documents.

But is this really the safest method?

In most cases, the answer is no.

What Is A Password-Protected Document?

A password-protected document is a file that has restricted access.

It requires a user to enter a set of numbers, characters, and symbols in order to view, edit, or otherwise manipulate the contents.

Different types of documents can be password protected, including Microsoft Word or Google Docs, PDFs, spreadsheets, and presentations.

The level of security provided by a password can vary depending on the software used to protect the document, and the strength of the password used (i.e., length, complexity, and use of special characters).

An estimated 63% of businesses use password-protected documents to send information both externally and internally within their organisations.

Some of the most shared business document types include:

• Financial documents (45%)
• Contracts (39%)
• Reports (32%)
• Non-disclosure agreements (32%)
• Insurance documents (24%)

Why Is Password Protection Not Secure?

When you protect documents with a password, the contents are secured by a level of encryption, and only those who enter the correct password can gain access to the file.

While this may seem like a suitable level of protection, the end result is very similar to that of placing a locked gate on a 5-foot fence.

It acts as a deterrent, preventing immediate access, but doesn’t provide much protection from those who are willing to put in a little effort.

Here are some of the core issues with password-protected documents.

Offers Partial Security

The process of delivering a password-protected document requires you to share the password with your recipient.

Most often, this results in a separate email with the password being sent.

This means that if the recipient’s email account is compromised, a third party could gain access to the document.

Encryption Is Often Weak

Many document formats that allow password protection make use of weak encryption methods.

For example, older versions of Microsoft Office (a common association with password protection) use weak encryption and can easily be cracked with the right tools.

Password Strength Dependent

The security of a password-protected document is highly dependent on the strength of the password itself, which is why many security providers are moving away from passwords.

Studies show that compromised login credentials, which are preventable vulnerabilities, account for up to 80% of successful data breaches.

Many users tend to use weak or easily guessable passwords, which can be quickly opened using password-cracking tools.

Known Software Exploits

The software used to create and open a password-protected document often have known vulnerabilities that can be exploited to bypass password protection.

This is especially true if software is not updated, for example with older versions of Microsoft Word running on legacy machines that don’t support the latest installations.

Lacks Two-Factor Authentication

Unlike more robust document security, password-protection typically does not support two-factor authentication, relying solely on the strength of a password only.

Two-factor authentication relies on a user providing a password and a second, different factor, for example a code sent to their device or a fingerprint scan.

The Potential Risks If You Share Password-Protected Documents

A lack of comprehensive security can leave password-protected documents open to a variety of digital threats.

 Data Interception

Data interception, which most often happens by email, refers to the unauthorised access and retrieval of information while it is in transit or stored on email servers.

Malicious third parties can intercept data using various methods, such as hacking into email servers, exploiting vulnerabilities in protocols, or lifting data from unsecured networks.

Once a threat actor gets hold of an email containing a password-protected document, they can utilise easily accessible methods to crack it open.

 Password Recovery Tools

There are tools available online that can remove or bypass password protection on documents, especially if the protection relies on outdated or weak encryption methods.

Many password-cracking tools are open-source and free, making them accessible to anyone with an internet connection.

 Brute Force Attacks

Password-protected documents can be vulnerable to brute force attacks, where an attacker uses a program to try many different password combinations until the correct one is found.

Recent research has found that by using ChatGPT, a threat actor could brute force an 8-digit password that uses numbers and a mixture of upper- and lower-case letters almost instantly.

Source: Hivesystems, Jan 2024

 Social Engineering

Cybercriminals can also manipulate individuals into revealing the passwords to protected documents.

Social engineering techniques include phishing, where a threat actor sends an email pretending to be from a legitimate source in order to trick users into inadvertently providing access to documents.

Other Issues With Password-Protecting Documents

Security vulnerabilities aren’t the only issue to be aware of when utilising password protection within your business.

There are several other drawbacks.

 Reduced Efficiency

We have found that both businesses and customers struggle with the process of sending and receiving password-protected documentation.

This is mainly due to the time and resource it takes to set up a document with password protection and send the password to the recipient, as well as compatibility issues with opening it.

Lack Of Recording

In regulated sectors such as financial services, regulations such as MiFID II mandate the recording and storage of certain communications.

Where accountability and transparency are crucial, audit trails are an essential part of identifying and mitigating risks, such as fraudulent activity, discrepancies, and transaction errors.

Sharing password-protected documents does not provide you with a record of access.

 Risk Of Loss

If you forget a password to a protected document, you could be permanently locked out.

This is different from an online account where you might be able to reset a password through email or customer support – there is usually no way to regain access.

Ironically, the ease of cracking a password-protected document using malicious software becomes a bonus if you forget your password – though it doesn’t say much for the security!

How Can You Send Documents Securely?

When considering an alternative method for transmitting sensitive documents securely, there are several options available for you to utilise.

 Traditional Postal Mail

Print, pack, and post still play a significant role in communications, especially when it comes to sending documentation as a business.

However, both businesses and consumers are moving away from this traditional method to digital means, for reasons including:

• Rising expenses, with the cost of a first-class letter increasing by 78% in the last 4 years.
• Unreliable service, with letter delays affecting over 15 million people in the past year.
• Environmental impact, with every tonne of post generating around 3 tonnes of CO2e.

Though the traditional postal service is perhaps slightly more secure than password protection, the integrity of paper documents that pass through so many hands is also questionable.

 Customer Document Portals

Businesses often use web-based portals as centralised hubs for interacting with customers.

Many portals provide the ability for both business and customer to upload and download documents securely.

While this reduces the time and effort typically associated with sending password-protected documents, sharing sensitive information this way comes with some drawbacks:

• Portals still rely on passwords for account access - this leaves any documentation stored within a portal at risk if a user’s credentials are compromised.
• The majority of portals show low engagement with customers, with studies showing that 70% do not use them and prefer more direct forms of communication.
• Portals can be unintuitive to consumers, with users, especially from older demographics, reporting problems with menu navigation and small font sizes.

Read more about the drawbacks of post and portals.

 Secure Email Solutions

Secure email solutions protect emailed documents from interception, manipulation, and error, ensuring that they are delivered to the right people (only!).

This is often carried out using a dedicated set of features, including:

• Military-grade encryption for the body of email messages and any attachments.
• Multi-factor authentication, gating content until recipients pass identity checks.
• Audit trails, recording access gained by sender and recipient to message content.

The Benefits To Using A Secure Email Solution

There are several key advantages to using a secure email solution vs. sending password-protected documents, such as…

 Greater Efficiency

Unlike password-protected documents, secure email requires one message only (rather than one with the document and one with the password) and is compatible with all devices.

A secure email message can be sent in a few clicks or so (depending on the provider), streamlining the communication process, saving time, and reducing the margin for error.

 Heightened Engagement

Utilising a secure email solution can boost engagement, as checking and answering emails is a habit that most people act on every day.

In the case of our secure email solution, Mailock, 79% of messages in the past 12 months were opened, with 68% opened within 24 hours and 35% within the first hour.

 Two-Way Security

While password-protected documents provide a measure of security for outbound data, they leave a gap when it comes to inbound communication.

Secure email can bridge this gap by allowing your recipients to respond securely to any emails and documents sent their way.

Final Thoughts

While the use of password protection for documents is widespread, it falls short in terms of security and efficiency.

Utilising a solution that works not only for you but for your recipients is essential for maintaining safe, trusted relationships online.