How Secure are Password-Protected Files?

February 14th, 2009

We recently discussed email security for accountants and mentioned that the use of password-protected files is not usually a very good solution for meeting data privacy needs.  After writing this and getting some feed back, we thought that the issue of password-protected files really deserves some further discussion.  Many people are under the assumption that if they use the “password protection” features of whatever software they are using, that their data is safe and secure.  However, this is not necessarily the case.  Why?

Using password-protected files to secure data is fast and easy and built into many applications.  Why not use it?  Certainly, password protecting files is much better than not doing so.  However, there are several things that determine how secure these “protected” files really are.

First, let’s assume that the file has fallen into the malicious hands of someone (a hacker) trying to steal the data from within it.  If the file is not accessible to unauthorized people in the first place, encryption doesn’t even come into the picture.  The hacker needs to figure out how to access the protected data.  How can s/he do this?

Unlocking password-protected files?

How can someone access the content of a password -protected file?  Well, that depends:

  1. If the file is not encrypted, but not openable in the normal program that is used to read it (i.e. like Microsoft Word), then the hacker just needs to remove the block on opening the file by editing the file.
  2. If the file is encrypted, but with a weak/poor form of security, the hacker may be able to use well known techniques to break into the security in a relatively short amount of time, no matter what password is used.
  3. If the file is encrypted with strong encryption, such as AES, the hacker needs to guess the password used.

Case 1 used to be prevalent many years ago when password-protection was first becoming popular.  Various file formats could include codes that the reader programs would detect and cause them to ask for a password before letting the file be viewed.  In these cases, the raw data was not actually encrypted, and the security relied upon the assumption that (a) the user can’t/won’t look at the raw file and see what the data actually is and (b) the user can’t/won’t be able to figure out how to edit the raw file to remove the “don’t open me” instructions.  Of course, both of these assumptions are invalid.   No mainstream program released in the last few years with password protection is so insecure as to use these kind of assumptions.  So, unless you are using old legacy software, you don’t really have to worry about this extreme form of password-protected insecurity.

As a case in point, as recently as 2004, it was discovered that Microsoft Word’s (version 2000 and 2003 in backwards-compatibility mode) password-to-modify protection can be subverted easily to gain access to the full contents.  Microsoft responded to this discovery by stating that

“(When) you use the Password to Modify feature, the feature is functioning as intended even when a user with malicious intent bypasses the feature … The behavior occurs because the feature was never designed to protect your document or file from a user with malicious intent.”

Admittedly, this is not exactly password protection from viewing, but password protection from editing.  But the point is the same: even widely used software from companies like Microsoft sometimes does not have any kind of real inherent security in places where a naive user would assume it does.

Case 2 is prevalent even today.  This involves using old encryption methods that have long ago proven to be easily broken.  For example, Word and Excel 95, 97, and 2000 files with password protection can be opened by a hacker withing 10 seconds because the encryption methods used contain known problems.  For versions 2002 and 2003, the default encryption methods were made to be compatible with version 2000 and are thus susceptible to the same kind of easy access by any hacker.  Versions 2002 and 2003 can use 128-bit RC4 for better (though not super) encryption; however, you need to manually enable this.

Many people still use versions of Microsoft Office older than 2007, and password-protected files generated by these versions are likely to be completely insecure.  Many other programs commonly in use are also using old vulnerable encryption methods that render them completely insecure.

Case 3 is what you want if you need to use password-protected files.  In this scenario, the file is actually encrypted using a highly secure encryption algorithm such as 128- or 256-bit AES.  The only way to access the original data is to know or guess the password used.  Microsoft Office 2007 uses 128-bit AES encryption for password protection and places those encrypted documents squarely in this case.  Encrypted ZIP files (via WinZIP) use 128- or 256-bit AES encryption as well.

Note:

  • Adobe Acrobat v9 (for making PDFs) uses 256-bit AES encryption, but this is actually weaker than that available in previous versions of Acrobat.  This is still viable as long as your password is chosen well.
  • Adobe Acrobat v8 uses 128-bit AES encryption; it is implemented in a way that is stronger and takes longer to break than that in v9.  This is the best version, currently, to use for encryption.
  • WinZIP and PkZIP use 128-bit or 256-bit AES encryption.  These are both good as long as you have a good password.  Note, however, that the file names inside a password-protected ZIP file are visible to anyone without needing to decrypt the file!  If your file names are sensitive … put your password-protected ZIP file inside of another password-protected ZIP file.
  • Office 2007 products (Word, Excel, Powerpoint, One Note) use 128-bit AES Encryption.  This is good as log as you have a good password.
  • Office 2002 and 2003 products can use 128-bit RC4, but are not configured to by default.  This is bad … don’t use password encryption in these versions!
  • Older versions of Office (as well as the default configurations of Office 2002 and 2003) use an older encryption scheme that is completely broken. Never use password encryption in these versions.

Breaking Strong Encryption

Password-protected files using strong encryption can only be accessed by knowing or guessing the passwords.  If you are careful and use a very good password (i.e. one that cannot be easily guessed), then this form of password protection is indeed very secure.

However, it is exceedingly common for people, especially those with no security training, to use very simple passwords on such files.  I.e. words found in the dictionary, like “green”, people’s names, or simple variations on these themes.    Such passwords can be “guessed” easily by simply trying all words in the dictionary, all names, and all commonly used variations on all of these.  For English, this means a few million possibilities (plus or minus — dictionaries vary).  Computers are so fast that checking a few million possible passwords against an encrypted file can be done very quickly.  So, any file protected with a password that falls into the category of “easily guessed/cracked” can be reliably opened in short order.  It is not the strength of the encryption that is the problem, it is the strength of the key — the password.

In fact, the demand for opening password-protected Office and PDF files is so great that there are many commercial programs available that can do this for you for a few dollars.  These are “password recovery” programs, but are equally useful to people trying to gain unauthorized access to such files.  They will do all the guessing and testing and can open most files with poorly chosen passwords.  For example, a quick Google search found:

With all of these utilities readily available, it is within anyone’s reach to open common password-protected files.

Other Problems with Password-Protected Files

Unauthorized access to the content of a file is not the only potential problem.  Anyone who can get access to the file content and its password can also alter the file content and re-protect it with the same password in a way that is, for all intents and purposes, undetectable.  So, you have have an encrypted file that holds important information that has been broken into and changed and you would not know it.  Use of regular password-protected files as “vaults” where the data stored therein is assumed safe and immutable is not a really good decision.

So, What Can Be Done?

If you need to use encrypted files, you should:

  • Make sure that the files are encrypted using strong encryption
  • Use good passwords … ones with uppercase and lowercase characters, numbers, spaces, and symbols.  Things that would never be assembled into a common dictionary.
  • If you are using password protection for sending files to multiple people, do not use the same password for everyone!  Use a different password for each of your corespondents.   This ensures that the loose lips of one person does not compromise the security of someone else.

We have time and again seen or heard of organizations that use really poor passwords, like a dictionary word, and use that same password for all encrypted documents.  This is often done to make things easy for the staff or users, but effectively renders the attempt at encryption laughable.

Digital Signatures

To protect the content of the file against unauthorized change, you will have to use a digital signature, like that available in PGP and S/MIME.  The digital signature allows you to verify (a) when the content was signed, (b) who signed it, and (c) if it has been altered at all since then.

Mitigate Brute Force and Dictionary Attacks

The key to being able to guess the password to an encrypted file is the ability of the hacker to try as many passwords as s/he likes as fast as possible.  If this is not an option, then “guessing” the password becomes, essentially, impossible — even if the password in use is poor.

How Can This be Accomplished?

If the encrypted file is stored in a server with access only available via a web site where you have to enter the password, then:

  • No one has access to the raw encrypted file and thus cannot use any of the available password cracking tools against the file itself.
  • The web site can lock out access after a few password failures.  For example, after 5 incorrect passwords, the hacker would not be permitted to try again for a few minutes from the same location.  This makes automated testing of large numbers of possible passwords impossible.

As a case in point, LuxSci’s SecureLine Escrow service allows LuxSci users to email files to anyone on the Internet who has an email address.  It digitally signs and then encrypts the files using strong encryption and stores them on a secure server.  It will never email the encrypted files themselves, keeping them invulnerable to direct attacks.  It uses a long random password and makes access only available via a secure (over SSL) web site which automatically locks out access after several failed password guesses.   This kind of communication is uniformly more secure that emailing password-protected files.

Of course, communications security assumes that the sender or recipient is using a computer that is not compromised.  But, that is the subject of a future article.