Are Password-Protected ZIPs Dangerous?
Think password-protected ZIPs are secure? They actually carry serious security risks.
Risk 1: Malware Vector
Emotet, which caused widespread damage in 2020-2021, spread via password-protected ZIP files. Encrypted ZIPs bypass email gateway virus scanning, making them an ideal malware delivery mechanism. Many organizations were compromised through this attack vector.
Risk 2: Weak ZIP Encryption
Standard ZIP encryption (ZipCrypto) is vulnerable to known-plaintext attacks. If part of the file is known (e.g., PDF headers), encryption can be broken. Even AES-256 ZIP encryption can be brute-forced if the password is weak.
| Encryption | Security |
|---|---|
| ZipCrypto | Vulnerable (known-plaintext) |
| AES-128 ZIP | Moderate (weak password risk) |
| AES-256 ZIP | Moderate (weak password risk) |
| AES-256-GCM (SecureMint) | Strong (authenticated + PBKDF2) |
Risk 3: Password Sent via Same Channel
In PPAP, both the ZIP file and password travel through the same email channel. An attacker who can intercept one can intercept both, rendering the encryption meaningless. It's like handing a locked suitcase and the key to the same person.
Risk 4: No Audit Trail
With password-protected ZIPs, there's no way to know who opened the file or how many times. Data leaks go undetected. SecureMint Pro tracks download time, IP address, and ISP information.
Government Response
In November 2020, Japan's Digital Minister announced the discontinuation of PPAP in central government agencies. Since then, major corporations have accelerated PPAP phase-out. In 2026, the Financial Services Agency also requested financial institutions to stop using PPAP.
Switch to Secure File Sharing
SecureMint delivers files safely with a single E2E encrypted link. Free, no registration.