Why Emailing Password-Protected ZIP Files Is Not Secure (And What to Do Instead)
The practice of sending password-protected ZIP files with the password in a separate email is fundamentally flawed. Learn why this approach fails and discover secure file sharing alternatives.
Why Emailing Password-Protected ZIP Files Is Not Secure (And What to Do Instead)
"Compress the file into a password-protected ZIP, email it, then send the password in a follow-up email." This practice is standard in many organizations — and it's fundamentally broken.
In Japan, this method is so common it has a name: PPAP. The Japanese government officially abandoned it in 2020. Here's why every organization should do the same.
Why This Method Doesn't Work
1. Password Travels the Same Path as the File
You send the ZIP file and the password from the same email account to the same recipient. If the email is intercepted, the attacker gets both. It's like locking your door and taping the key next to it.
2. Security Software Can't Scan Inside
Most email security gateways can't inspect the contents of password-protected ZIP files. Instead of improving security, this practice actually creates a pathway for malware to bypass your defenses.
The Emotet malware campaign specifically exploited this by distributing itself through password-protected ZIPs.
3. ZIP Encryption Is Weak
Standard ZIP encryption (ZipCrypto) has known vulnerabilities. With the right tools, these files can be cracked in minutes.
4. Doesn't Prevent Misdirected Emails
If you send the first email to the wrong person, you'll almost certainly send the second one to the same wrong person. This method provides zero protection against human error.
5. Terrible User Experience
- Recipients must dig through emails to find the password
- ZIP files are difficult to open on mobile devices
- Repetitive password entry is frustrating
Better Alternatives
Option 1: Cloud Storage Sharing Links
Use Google Drive, OneDrive, Dropbox, or similar cloud storage to share files via links.
Pros:
- Granular access permissions
- Download tracking
- Ability to revoke access
- Malware scanning works
- Version control
Cons:
- Not all services allow password-protecting individual links
- IT policies may restrict external sharing
Option 2: Password-Protected Links
Wrap your cloud storage sharing link with password protection. LOCK.PUB lets you add a password to any URL — including Google Drive links, Dropbox links, or any download URL.
| Comparison | ZIP + Email | LOCK.PUB + Cloud |
|---|---|---|
| Password path | Same (email) | Can be separated |
| Malware scanning | Blocked | Works normally |
| Access logs | None | Available |
| Revoke access | Impossible | Link deletion |
| Misdirected email fix | None | Delete link immediately |
Option 3: Business Chat File Sharing
Share files directly through Slack, Microsoft Teams, or other business messaging platforms. These provide better security than email attachments, though retention policies and security settings need attention.
Option 4: Enterprise File Transfer Solutions
For organizations with strict compliance requirements:
- Box — Fine-grained access control and audit logs
- SharePoint — Microsoft 365 integration
- Citrix ShareFile — Enterprise-grade secure transfer
How to Transition Away From ZIP + Email
Step 1: Assess Current Usage
- Survey how widely this practice is used in your organization
- Identify which external partners expect this method
Step 2: Choose Alternatives
- Select tools that fit your IT environment
- Compare costs and operational overhead
Step 3: Gradual Migration
- Start internally first
- Notify external partners of the change
- Allow a transition period
Step 4: Formalize and Train
- Document new file sharing policies
- Train all employees on the new procedures
The Core Principle: Separate the Password from the File
The fundamental rule is: never send the password through the same channel as the file.
Email the file (or link), send the password via iMessage or a phone call. Better yet, use LOCK.PUB where the password is built into the link itself — the recipient enters it on access, so there's no need to transmit the password at all.
The Bottom Line
Sending password-protected ZIP files by email provides the illusion of security while actually making things worse by blocking malware detection.
Secure file sharing checklist:
- Switch to cloud storage sharing links
- Add password protection to shared links
- Implement access logging
- Establish new file sharing policies
- Train your team on secure practices
Keywords
You might also like
Why You Should Never Share Passwords in Work Chat (And What to Do Instead)
Sharing passwords via Slack, Teams, or any work messenger is a security risk. Learn about message history exposure, ex-employee access, search risks, and secure alternatives.
Why Sharing Passwords on Workplace Chat Apps Is Risky (And What to Do Instead)
Sharing passwords on Slack, Teams, or other workplace messengers creates serious security risks. Learn safer alternatives for credential sharing at work.
How to Securely Hand Over Work Passwords and Accounts When Leaving a Job
A practical guide to safely transferring dozens of work account credentials to your successor when you resign, with step-by-step instructions and checklists.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free