LuxSciLuxSci
Secure Email,
Web and Form Solutions
Phone: 800-441-6612
sales@luxsci.com
support@luxsci.com

How Secure are Password-Protected Files?

We recently discussed email security for accountants and mentioned that the use of password-protected files is not usually a very good solution for meeting data privacy needs.  After writing this and getting some feed back, we thought that the issue of password-protected files really deserves some further discussion.  Many people are under the assumption that if they use the “password protection” features of whatever software they are using, that their data is safe and secure.  However, this is not necessarily the case.  Why?

Using password-protected files to secure data is fast and easy and built into many applications.  Why not use it?  Certainly, password protecting files is much better than not doing so.  However, there are several things that determine how secure these “protected” files really are.

First, let’s assume that the file has fallen into the malicious hands of someone (a hacker) trying to steal the data from within it.  If the file is not accessible to unauthorized people in the first place, encryption doesn’t even come into the picture.  The hacker needs to figure out how to access the protected data.  How can s/he do this?

Unlocking password-protected files?

How can someone access the content of a password -protected file?  Well, that depends:

  1. If the file is not encrypted, but not openable in the normal program that is used to read it (i.e. like Microsoft Word), then the hacker just needs to remove the block on opening the file by editing the file.
  2. If the file is encrypted, but with a weak/poor form of security, the hacker may be able to use well known techniques to break into the security in a relatively short amount of time, no matter what password is used.
  3. If the file is encrypted with strong encryption, such as AES, the hacker needs to guess the password used.

Case 1 used to be prevalent many years ago when password-protection was first becoming popular.  Various file formats could include codes that the reader programs would detect and cause them to ask for a password before letting the file be viewed.  In these cases, the raw data was not actually encrypted, and the security relied upon the assumption that (a) the user can’t/won’t look at the raw file and see what the data actually is and (b) the user can’t/won’t be able to figure out how to edit the raw file to remove the “don’t open me” instructions.  Of course, both of these assumptions are invalid.   No mainstream program released in the last few years with password protection is so insecure as to use these kind of assumptions.  So, unless you are using old legacy software, you don’t really have to worry about this extreme form of password-protected insecurity.

As a case in point, as recently as 2004, it was discovered that Microsoft Word’s (version 2000 and 2003 in backwards-compatibility mode) password-to-modify protection can be subverted easily to gain access to the full contents.  Microsoft responded to this discovery by stating that

“(When) you use the Password to Modify feature, the feature is functioning as intended even when a user with malicious intent bypasses the feature … The behavior occurs because the feature was never designed to protect your document or file from a user with malicious intent.”

Admittedly, this is not exactly password protection from viewing, but password protection from editing.  But the point is the same: even widely used software from companies like Microsoft sometimes does not have any kind of real inherent security in places where a naive user would assume it does.

Case 2 is prevalent even today.  This involves using old encryption methods that have long ago proven to be easily broken.  For example, Word and Excel 95, 97, and 2000 files with password protection can be opened by a hacker withing 10 seconds because the encryption methods used contain known problems.  For versions 2002 and 2003, the default encryption methods were made to be compatible with version 2000 and are thus susceptible to the same kind of easy access by any hacker.  Versions 2002 and 2003 can use 128-bit RC4 for better (though not super) encryption; however, you need to manually enable this.

Many people still use versions of Microsoft Office older than 2007, and password-protected files generated by these versions are likely to be completely insecure.  Many other programs commonly in use are also using old vulnerable encryption methods that render them completely insecure.

Case 3 is what you want if you need to use password-protected files.  In this scenario, the file is actually encrypted using a highly secure encryption algorithm such as 128- or 256-bit AES.  The only way to access the original data is to know or guess the password used.  Microsoft Office 2007 uses 128-bit AES encryption for password protection and places those encrypted documents squarely in this case.  Encrypted ZIP files (via WinZIP) use 128- or 256-bit AES encryption as well.

Note:

  • Adobe Acrobat v9 (for making PDFs) uses 256-bit AES encryption, but this is actually weaker than that available in previous versions of Acrobat.  This is still viable as long as your password is chosen well.
  • Adobe Acrobat v8 uses 128-bit AES encryption; it is implemented in a way that is stronger and takes longer to break than that in v9.  This is the best version, currently, to use for encryption.
  • WinZIP and PkZIP use 128-bit or 256-bit AES encryption.  These are both good as long as you have a good password.  Note, however, that the file names inside a password-protected ZIP file are visible to anyone without needing to decrypt the file!  If your file names are sensitive … put your password-protected ZIP file inside of another password-protected ZIP file.
  • Office 2007 products (Word, Excel, Powerpoint, One Note) use 128-bit AES Encryption.  This is good as log as you have a good password.
  • Office 2002 and 2003 products can use 128-bit RC4, but are not configured to by default.  This is bad … don’t use password encryption in these versions!
  • Older versions of Office (as well as the default configurations of Office 2002 and 2003) use an older encryption scheme that is completely broken. Never use password encryption in these versions.

Breaking Strong Encryption

Password-protected files using strong encryption can only be accessed by knowing or guessing the passwords.  If you are careful and use a very good password (i.e. one that cannot be easily guessed), then this form of password protection is indeed very secure.

However, it is exceedingly common for people, especially those with no security training, to use very simple passwords on such files.  I.e. words found in the dictionary, like “green”, people’s names, or simple variations on these themes.    Such passwords can be “guessed” easily by simply trying all words in the dictionary, all names, and all commonly used variations on all of these.  For English, this means a few million possibilities (plus or minus — dictionaries vary).  Computers are so fast that checking a few million possible passwords against an encrypted file can be done very quickly.  So, any file protected with a password that falls into the category of “easily guessed/cracked” can be reliably opened in short order.  It is not the strength of the encryption that is the problem, it is the strength of the key — the password.

In fact, the demand for opening password-protected Office and PDF files is so great that there are many commercial programs available that can do this for you for a few dollars.  These are “password recovery” programs, but are equally useful to people trying to gain unauthorized access to such files.  They will do all the guessing and testing and can open most files with poorly chosen passwords.  For example, a quick Google search found:

With all of these utilities readily available, it is within anyone’s reach to open common password-protected files.

Other Problems with Password-Protected Files

Unauthorized access to the content of a file is not the only potential problem.  Anyone who can get access to the file content and its password can also alter the file content and re-protect it with the same password in a way that is, for all intents and purposes, undetectable.  So, you have have an encrypted file that holds important information that has been broken into and changed and you would not know it.  Use of regular password-protected files as “vaults” where the data stored therein is assumed safe and immutable is not a really good decision.

So, What Can Be Done?

If you need to use encrypted files, you should:

  • Make sure that the files are encrypted using strong encryption
  • Use good passwords … ones with uppercase and lowercase characters, numbers, spaces, and symbols.  Things that would never be assembled into a common dictionary.
  • If you are using password protection for sending files to multiple people, do not use the same password for everyone!  Use a different password for each of your corespondents.   This ensures that the loose lips of one person does not compromise the security of someone else.

We have time and again seen or heard of organizations that use really poor passwords, like a dictionary word, and use that same password for all encrypted documents.  This is often done to make things easy for the staff or users, but effectively renders the attempt at encryption laughable.

Digital Signatures

To protect the content of the file against unauthorized change, you will have to use a digital signature, like that available in PGP and S/MIME.  The digital signature allows you to verify (a) when the content was signed, (b) who signed it, and (c) if it has been altered at all since then.

Mitigate Brute Force and Dictionary Attacks

The key to being able to guess the password to an encrypted file is the ability of the hacker to try as many passwords as s/he likes as fast as possible.  If this is not an option, then “guessing” the password becomes, essentially, impossible — even if the password in use is poor.

How Can This be Accomplished?

If the encrypted file is stored in a server with access only available via a web site where you have to enter the password, then:

  • No one has access to the raw encrypted file and thus cannot use any of the available password cracking tools against the file itself.
  • The web site can lock out access after a few password failures.  For example, after 5 incorrect passwords, the hacker would not be permitted to try again for a few minutes from the same location.  This makes automated testing of large numbers of possible passwords impossible.

As a case in point, LuxSci’s SecureLine Escrow service allows LuxSci users to email files to anyone on the Internet who has an email address.  It digitally signs and then encrypts the files using strong encryption and stores them on a secure server.  It will never email the encrypted files themselves, keeping them invulnerable to direct attacks.  It uses a long random password and makes access only available via a secure (over SSL) web site which automatically locks out access after several failed password guesses.   This kind of communication is uniformly more secure that emailing password-protected files.

Of course, communications security assumes that the sender or recipient is using a computer that is not compromised.  But, that is the subject of a future article.

4 Responses to “How Secure are Password-Protected Files?”

  1. Accounting, Taxes, and Identity Theft | LuxSci FYI Says:

    [...] and our digital life « Stop the Mail! Restrict Users from Emailing to Certain Addresses How Secure are Password-Protected Files? [...]

  2. RainbowCrack 1.3 - password recovery | PenTestIT Says:

    [...] How Secure are Password-Protected Files? | LuxSci FYI [...]

  3. How to reset Administrator password for Windows? | PenTestIT Says:

    [...] H&#111&#119&#32Secure are Password-Protected Files? | LuxSci FYI &#10&#10&#10Related External Links [...]

  4. Security Simplified: The Base+Suffix Method for Memorable Strong Passwords | LuxSci FYI Says:

    [...] file, you must be sure that (a) you use a strong password for that file, and (b) that the password-protection in use is actually good; i.e. old versions of Microsoft Office have useless password protection.  If the password is weak [...]

Leave a Comment

You must be logged in to post a comment.

TRUSTe EU Safe Harbor Thawte Extended Validation SSL Certificate McAfee Secure Authorize.net Merchant
• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 BlackBerry
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries