Is Password-Protecting A Document Secure?

Safeguarding data is crucial, with consumers and businesses regularly exposed to online threats such as data breaches and cyber-attacks. Many people use password-protection to keep sensitive documents secure.

But is this really the safest method?

In most cases, the answer is no.

What Is A Password-Protected Document?

A password-protected document is a file with restricted access.

It requires the user to enter a combination of numbers, characters, and symbols to view, edit, or manipulate the contents.

Different types of documents can be password-protected, including Microsoft Word or Google Docs, PDFs, spreadsheets, and presentations.

The security level provided by a password depends on the software used and the strength of the password (i.e., length, complexity, and inclusion of special characters).

An estimated 63% of businesses use password-protected documents to send information both externally and internally within their organisations.

Some of the most shared business document types include:

• Financial documents (45%)
• Contracts (39%)
• Reports (32%)
• Non-disclosure agreements (32%)
• Insurance documents (24%)

Why Is Password Protection Not Secure?

When you protect documents with a password, the contents are secured by a level of encryption, and only those who enter the correct password can access the file.

While this may seem like adequate protection, it is akin to placing a lock on a 5-foot fence.

It acts as a deterrent, preventing immediate access but doesn’t provide much protection from those willing to put in a bit of effort.

Here are some of the core issues with password-protected documents:

Offers Partial Security

The process of delivering a password-protected document requires you to share the password with your recipient.

Most often, this means sending a separate email with the password.

If the recipient’s email account is compromised, a third party could gain access to the document.

Encryption Is Often Weak

Many document formats that allow password protection use weak encryption methods.

For example, older versions of Microsoft Office (a common choice for password protection) use weak encryption and can easily be cracked with the right tools.

Password Strength Dependent

The security of a password-protected document heavily relies on the strength of the password itself, which is why many security providers are moving away from passwords.

Studies show that compromised login credentials, which are preventable vulnerabilities, account for up to 80% of successful data breaches.

Many users tend to use weak or easily guessable passwords, which can be quickly opened using password-cracking tools.

Known Software Exploits

The software used to create and open a password-protected document often has known vulnerabilities that can be exploited to bypass password protection.

This is particularly true for older versions of Microsoft Word on legacy machines that don’t support the latest installations.

Lacks Two-Factor Authentication

Unlike more robust document security, password-protection typically does not support two-factor authentication, relying solely on the strength of a password.

Two-factor authentication requires a password and a second factor, like a code sent to a device or a fingerprint scan.

The Potential Risks Of Sharing Password-Protected Documents

Weak security can leave password-protected documents vulnerable to various digital threats.

Data Interception

Data interception, most commonly via email, refers to the unauthorised access and retrieval of information while it is in transit or stored on email servers.

Malicious third parties can intercept data using various methods, such as hacking into email servers, exploiting protocol vulnerabilities, or lifting data from unsecured networks.

Once a threat actor gets hold of an email containing a password-protected document, they can use accessible methods to crack it open.

Password Recovery Tools

There are tools available online that can remove or bypass password protection on documents, especially if the protection relies on outdated or weak encryption methods.

Many password-cracking tools are open-source and free, making them accessible to anyone with an internet connection.

Brute Force Attacks

Password-protected documents can be vulnerable to brute force attacks, where an attacker uses a program to try many different password combinations until the correct one is found.

Recent research has shown that by using ChatGPT, a threat actor could brute force an 8-digit password that uses numbers and a mixture of upper- and lower-case letters almost instantly.

Social Engineering

Cybercriminals can also manipulate individuals into revealing passwords to protected documents.

Social engineering techniques include phishing, where a threat actor sends an email pretending to be from a legitimate source to trick users into inadvertently providing access to documents.

Other Issues With Password-Protecting Documents

Security vulnerabilities aren’t the only problem with using password protection in your business.

There are several other drawbacks.

Reduced Efficiency

We have found that both businesses and customers struggle with the process of sending and receiving password-protected documentation.

This is mainly due to the time and resources required to set up a document with password protection and send the password to the recipient, as well as compatibility issues with opening it.

Lack of Recording

In regulated sectors such as financial services, regulations like MiFID II mandate the recording and storage of certain communications.

Where accountability and transparency are crucial, audit trails are essential for identifying and mitigating risks such as fraudulent activity, discrepancies, and transaction errors.

Sharing password-protected documents does not provide a record of access.

Risk of Loss

If you forget a password to a protected document, you could be permanently locked out.

This is different from an online account where you might be able to reset a password through email or customer support – there is usually no way to regain access.

Ironically, the ease of cracking a password-protected document using malicious software becomes a bonus if you forget your password – though it doesn’t say much for the security!

How Can You Send Documents Securely?

When looking for an alternative method for transmitting sensitive documents securely, there are several options available.

Traditional Postal Mail

Print, pack, and post still play a significant role in communications, especially when it comes to sending documentation as a business.

However, both businesses and consumers are moving away from this traditional method to digital means, for reasons including:

• Rising expenses, with the cost of a first-class letter increasing by 78% in the last 4 years.
• Unreliable service, with letter delays affecting over 15 million people in the past year.
• Environmental impact, with every tonne of post generating around 3 tonnes of CO2e.

Though the traditional postal service is perhaps slightly more secure than password protection, the integrity of paper documents that pass through many hands is also questionable.

Customer Document Portals

Businesses often use web-based portals as centralised hubs for interacting with customers.

Many portals provide the ability for both businesses and customers to upload and download documents securely.

While this reduces the time and effort typically associated with sending password-protected documents, sharing sensitive information this way comes with some drawbacks:

• Portals still rely on passwords for account access - this leaves any documentation stored within a portal at risk if a user’s credentials are compromised.
• Most portals show low engagement with customers, with studies showing that 70% do not use them and prefer more direct forms of communication.
• Portals can be unintuitive to consumers, with users, especially from older demographics, reporting problems with menu navigation and small font sizes.

Read more about the drawbacks of post and portals.

Secure Email Solutions

Secure email solutions protect emailed documents from interception, manipulation, and error, ensuring they are delivered to the right people (only!).

This is often carried out using a dedicated set of features, including:

• Military-grade encryption for the body of email messages and any attachments.
• Multi-factor authentication, gating content until recipients pass identity checks.
• Audit trails, recording access gained by the sender and recipient to message content.

The Benefits Of Using A Secure Email Solution

There are several key advantages to using a secure email solution vs. sending password-protected documents, such as…

Greater Efficiency

Unlike password-protected documents, secure email requires one message only (rather than one with the document and one with the password) and is compatible with all devices.

A secure email message can be sent in just a few clicks (depending on the provider), streamlining the communication process, saving time, and reducing the margin for error.

Heightened Engagement

Utilising a secure email solution can boost engagement, as checking and answering emails is a habit most people act on every day.

In the case of our secure email solution, Mailock, 79% of messages in the past 12 months were opened, with 68% opened within 24 hours and 35% within the first hour.

Two-Way Security

While password-protected documents provide a measure of security for outbound data, they leave a gap when it comes to inbound communication.

Secure email can bridge this gap by allowing your recipients to respond securely to any emails and documents sent their way.

Final Thoughts

While the use of password protection for documents is widespread, it falls short in terms of security and efficiency.

Utilising a solution that works not only for you but for your recipients is essential for maintaining safe, trusted relationships online.

References:

Why Should Businesses Password Protect Their Documents?, Adobe Blog, 2023.

Surfshark's Password Leak Research, Silicon Republic, 2023.

Verizon's Data Breach Investigations Report, Verizon, 2023.

Are Your Passwords in the Green?, Hivesystems, Jan 2024.

Cost Increase of First-Class Letters, Daily Mail, 2023.

Royal Mail Delays Affecting Millions, Citizens Advice, 2023.

Why Patients Aren't Using Portals, AMA, 2023.

Reviewed By:

Sam Kendall, 12.06.24

Sabrina McClune, 12.06.24