Do you wonder how vulnerable password-protected word-processing, spreadsheet, and Zip files are when users send them into the wild blue yonder? Wonder no more. Some great utilities can show how easily passwords are cracked. But there are some countermeasures you can take as well. Read on to learn more about both.

How to crack files

Most password-protected files can be cracked in seconds or minutes. You can demonstrate this “wow factor” security vulnerability to users and management. Here’s a hypothetical scenario that could occur in the real world:
  1. Your CFO wants to send some confidential financial information in an Excel spreadsheet to a company board member.
  2. She protects the spreadsheet by assigning it a password during the file-save process in Excel.
  3. For good measure, she uses WinZip to compress the file and adds another password to make it really secure.
  4. The CFO sends the spreadsheet as an e-mail attachment, assuming that the e-mail will reach its destination.
    The financial advisor’s network has content filtering, which monitors incoming e-mails for keywords and file attachments. Unfortunately, the financial advisory firm’s network administrator is looking in the content-filtering system to see what’s coming in.
  5. This rogue network administrator finds the e-mail with the confidential attachment, saves the attachment, and realizes that it’s password protected.
  6. The network administrator remembers a great password-cracking tool available from Elcomsoft called Advanced Archive Password Recovery that can help him out so he proceeds to use it to crack the password.
Cracking password-protected files is as simple as that! Now all that the rogue network administrator must do is forward the confidential spreadsheet to his buddies or to the company’s competitors.
If you carefully select the right options in Advanced Archive Password Recovery, you can drastically shorten your testing time. For example, if you know that a password is not over five characters long or is lowercase letters only, you can cut the cracking time in half.
You should perform these file-password-cracking tests on files that you capture with a content filtering or network analysis tool. This is a good way to determine whether your users are adhering to policy and using adequate passwords to protect sensitive information they’re sending.

Countermeasures

The best defense against weak file password protection is to require your users to use a stronger form of file protection, such as PGP, or the AES encryption that’s built in to WinZip, when necessary.
Ideally, you don’t want to rely on users to make decisions about what they should use to secure sensitive information, but it’s better than nothing. Stress that a file encryption mechanism, such as a password-protected Zip file, is secure only if users keep their passwords confidential and never transmit or store them in unsecure cleartext (such as in a separate e-mail).
If you’re concerned about unsecure transmissions through e-mail, consider using a content-filtering system or a data leak–prevention system to block all outbound e-mail attachments that aren’t protected on your e-mail server.