Bakit Emailing Password-Protected ZIP Files Is Not Secure (And What to Do Instead)
The practice of sending password-protected ZIP files with the password in a separate email is fundamentally flawed. Learn why this approach fails and tuklasin secure file sharing alternatives.
Bakit Emailing Password-Protected ZIP Files Is Not Secure (And What to Do Instead)
"Compress the file into a password-protected ZIP, email it, then send the password in a follow-up email." This practice is standard in many organizations — and it's fundamentally broken.
In Japan, this method is so common it has a name: PPAP. The Japanese government officially abandoned it in 2020. Here's why every organization should do the same.
Bakit This Method Doesn't Work
1. Password Travels the Same Path as the File
You send the ZIP file and the password from the same email account to the same recipient. If the email is intercepted, the attacker gets both. It's like locking your door and taping the key next to it.
2. Security Software Can't Scan Inside
Most email security gateways can't inspect the contents of password-protected ZIP files. Instead of improving security, this practice actually creates a pathway for malware to bypass your defenses.
The Emotet malware campaign specifically exploited this by distributing itself through password-protected ZIPs.
3. ZIP Encryption Is Weak
Standard ZIP encryption (ZipCrypto) has known vulnerabilities. With the right tools, these files can be cracked in minutes.
4. Doesn't Prevent Misdirected Emails
If you send the first email to the wrong person, you'll almost certainly send the second one to the same wrong person. This method provides zero protection against human error.
5. Terrible User Experience
- Recipients must dig through emails to find the password
- ZIP files are difficult to open on mobile devices
- Repetitive password entry is frustrating
Better Alternatives
Option 1: Cloud Storage Sharing Links
Use Google Drive, OneDrive, Dropbox, or similar cloud storage to share files via links.
Pros:
- Granular access permissions
- Download tracking
- Ability to revoke access
- Malware scanning works
- Version control
Cons:
- Not all services allow password-protecting individual links
- IT policies may restrict external sharing
Option 2: Password-Protected Links
Wrap your cloud storage sharing link with password protection. LOCK.PUB lets you add a password to any URL — including Google Drive links, Dropbox links, or any download URL.
| Comparison | ZIP + Email | LOCK.PUB + Cloud |
|---|---|---|
| Password path | Same (email) | Can be separated |
| Malware scanning | Blocked | Works normally |
| Access logs | None | Available |
| Revoke access | Impossible | Link deletion |
| Misdirected email fix | None | Delete link immediately |
Option 3: Business Chat File Sharing
Share files directly through Slack, Microsoft Teams, or other business messaging platforms. These provide better security than email attachments, though retention policies and security settings need attention.
Option 4: Enterprise File Transfer Solutions
For organizations with strict compliance requirements:
- Box -- Fine-grained access control and audit logs
- SharePoint -- Microsoft 365 integration
- Citrix ShareFile -- Enterprise-grade secure transfer
Paano to Transition Away From ZIP + Email
Hakbang 1
- Survey how widely this practice is used in your organization
- Identify which external partners expect this method
Hakbang 2
- Select tools that fit your IT environment
- Compare costs and operational overhead
Hakbang 3
- Start internally first
- Notify external partners of the change
- Allow a transition period
Hakbang 4
- Document new file sharing policies
- Train all employees on the new procedures
Ang Core Principle: Separate the Password from the File
The fundamental rule is: never send the password through the same channel as the file.
Email the file (or link), send the password via Facebook Messenger or a phone call. Better yet, use LOCK.PUB where the password is built into the link itself — the recipient enters it on access, so there's no need to transmit the password at all.
Ang Bottom Line
Sending password-protected ZIP files by email provides the illusion of security while actually making things worse by blocking malware detection.
Secure file sharing checklist:
- Switch to cloud storage sharing links
- Add password protection to shared links
- Implement access logging
- Establish new file sharing policies
- Train your team on secure practices
Keywords
You might also like
Secure Client Portal Alternative: Share Documents Without Enterprise Software
Skip expensive client portal software. Learn how freelancers, agencies, and small firms can share sensitive documents securely using password-protected links.
Bakit Sharing Passwords on Workplace Chat Apps Is Risky (And What to Do Instead)
Sharing passwords on Slack, Teams, or other workplace messengers creates serious security risks. Learn safer alternatives for credential sharing at work.
Paano Securely Hand Over Work Passwords and Accounts When Leaving a Job
A practical guide to safely transferring dozens of work account credentials to your successor when you resign, with hakbang-hakbang instructions and checklists.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free