The problem with Microsoft Word password protection & secure alternatives
Microsoft Word’s password protection has several serious flaws. Here’s how to protect a doc from sharing, copying, editing, and printing with more secure solutions.
The problems with password protection
Passwords have been used as a method of security since ancient times, when sentries would challenge those wishing to enter a restricted area to verbalize a particular word or phrase. Used liberally by the Romans, and then used even more liberally during World War I and II, it was perhaps inevitable that this security mechanism would be adopted from the earliest form of computing.
However, the same flaws in password security that existed in ancient times still exist today. Passwords can be easily guessed if they are not secure, or passed on to somebody who is not supposed to know it by an insider. These problems have only been exacerbated by the invention of brute force tools (which can try hundreds of combinations a second), instant forms of communication, and phishing attacks.
All of this has led tech giants such as Microsoft to start asking why we are still using passwords at all. However, though the company confidently asserts that “we have to stop using passwords”, its Microsoft Word application still secures documents with this outdated form of protection. Users are also unaware of how little protection passwords actually provide, with Google searches on ‘How to password protect a Word document’, or ‘How do I create a simple Word file that is password protected’ remaining ever popular.
The procedure to password-protect a Microsoft Word document is extremely simple
- Open the Office document you would like to protect.
- Select the File menu, click on the Info tab, and then press the Protect Document button.
- Select from the drop-down menu the option ‘Encrypt with Password’.
- Enter your password then click OK.
However, we have outlined in a previous blog just how inadequate Microsoft Word password protection is. Non-technical users can trivially remove any editing restrictions and, in many cases, brute force the document open password in seconds, hours, or days.
So, you may be wondering how to lock a Word document without passwords and whether Word files are the best format to use for confidential and sensitive information. Let’s take a look at the options and assess their level of document protection.
Google Docs sharing
Your first thought may be to go straight to Microsoft’s largest competitor in the word processing space – Google. Google Docs doesn’t protect documents with passwords (though you can use an ineffective third-party solution to password protect a Google Doc). Instead, it allows users to share files and documents via either a link or with selected Google accounts.
The benefit of this method is that it’s very convenient – the recipient can view the document directly in their browser and sharing the document only takes seconds. From a security perspective, however, link sharing is clearly useless. Somebody can pass on the link just as they would a password.
Sharing with Google accounts is perhaps more secure, but it’s still password protection at heart. Afterall, the account is protected by a password, and there’s nothing to stop those credentials from being shared either, whether that’s intentionally or due to a phishing or keylogging attack. Even Google Docs’ editing restrictions can be easily bypassed, making it no better than Word for document protection.
PGP File Encryption
The simplest way to protect a Word document without a password is by using standard file encryption, which uses pairs of private and public keys rather than passwords.
File encryption (so long as a strong algorithm is used) is a good way of protecting a document in transit and at rest. Without a private key, it is incredibly difficult for an attacker to open an encrypted document.
However, PGP encryption is not all-encompassing. It does nothing to protect a file once it has been decrypted and therefore cannot prevent authorized users from sharing the decrypted document with an unauthorized one. Additionally, though a private key cannot be guessed using current technology (it is just too long and complex), it can still be shared, leaked or phished, just like a password. This would allow a third party unauthorized access to any document that is encrypted for that key.
In short, then, file encryption is better than the open passwords you’ll see in Microsoft Word or Adobe Acrobat, but it alone won’t stop sensitive or confidential information from leaking.
Enterprise Rights Management software
Microsoft has its own enterprise security software designed to help classify and protect documents without the need for passwords. It’s called Azure Rights Management, and is a component of Microsoft’s wider Azure Information Protection Suite. Azure Rights Management is designed to protect the content of anything from emails to documents and images through the use of cloud-based protection technology.
Though it used to support only Microsoft Office files, its reach has since been extended to Adobe creative cloud, PDF, and other file types. In all, it sounds perfect – with sounds being the operative word.
Unfortunately, as detailed by the paper How to Break Microsoft Rights Management, it is entirely possible and even simple for a user that is supposed to only have the right to view a document to gain the ability to copy, modify, print, and share it. The tools to do so are freely available on GitHub and seemingly easy to use via a provided .exe file.
Scarily, users can not only modify documents, but re-protect them and make it look like they haven’t been modified at all. I’m sure you can see the damage this could do, if an employee authorized to view the document modified the bank details on an invoice. Or, indeed, a hacker who had compromised the credentials of such an employee.
There are other considerations with ERM software, too. Namely: what if you are not a large enterprise? Those not already subscribed to Microsoft 365 Enterprise will have to shell out $2/user per month for its base protection and $5 a month for its premium plan. Then there are the usual setup, training, maintenance, and support costs to think about. All told, you may end up paying a pretty sum for a solution that does not work as intended.
Document Rights Management software
A more simple, affordable, and effective solution is digital rights management (DRM) software. Locklizard’s Safeguard DRM system, for example, hones in specifically on the most shared document format: PDF. By focusing on doing one thing really well, it is able to achieve a high level of protection with low complexity and at a reasonable cost.
How Locklizard DRM works
Locklizard’s document DRM removes the need for passwords and transfers encryption keys securely in the background where the user cannot see or share them. It also ensures that users cannot bypass its editing, printing, copy/paste or printing controls or take a screenshot of the document using screen grabbing tools.
To achieve this, it uses a combination of encryption, licensing, DRM controls, and a secure viewer application. A writer application encrypts a PDF so that it can only be viewed by those with the decryption key while encoding the DRM controls that should be applied to the document (stopping printing, expiry dates, etc.). A DRM licensing server then ties a user to a specific account and content, with decryption keys transparently relayed to an encrypted, unsharable keystore on the user’s device.
The encrypted PDF file must be opened in the secure viewer application, which does not have the capability to copy and paste or edit, and prevents users from printing to file or printing at all (if you choose to prevent it). It also greys out the window when any screenshot application is used, including third-party ones, and you can optionally choose to blank it out whenever it is not in focus.
These systems working in tandem create a solution that’s quite elegant and intuitive for the end-user – whether that may be the person protecting the document or the person reading it.
How to protect a Word document without passwords using Locklizard Safeguard DRM
Locklizard does not protect Word documents in their native format – they have to be saved as PDF first. Once you have done that however, you end up with a protected document that users cannot share, copy, edit or print (unless you specify otherwise), making it a much more secure solution than Microsoft Word for document distribution.
Here’s the protection process from start to finish:
- Open your Word document and press “File > Export > Create XPF/PDF document”.
- Right-click on your PDF in Windows File Explorer and select the option “Make Secure PDF”.
- Choose any controls you want to apply to your document by selecting them in the Writer application.
- Press the “Publish” button at the bottom of the window to encrypt your document.
On publication, your document will output to its source folder in the .pdc file format and you can safely share it knowing that nobody can access it without a valid license.
- Add a user account and send them their license via the Safeguard admin portal.
With the PDF published, you’ll need to send your recipients the encrypted .pdc file, alongside a download link for the secure PDF reader application and a valid license. The simplest way of doing so is by ticking “Email license” when you add a new user. See how to add a new user and grant them document access.
What document protection is best for you?
Though we naturally think that our solution is an excellent choice, the best one for you will depend on your requirements.
- If you are just sending Microsoft Word documents between trusted parties, then PGP file encryption may be enough, and best of all it is free.
- If you labor under a zero-trust policy or will be sending documents to untrusted parties, then you will need more protection than that. For those with Microsoft 365 Enterprise plan, Azure Rights Management won’t cost you as much and could be worth considering, especially if you want to protect a document in Word (.docx) format. However, you do need to keep in mind that its ability to protect the contents of your documents is limited. It may only take users a Google search and a couple of extra steps to bypass your security.
- PDF DRM trades wide file type support for effective security. It is not intended to protect collaboration, but instead completed documents that will be sent to others. With most formats able to be exported or saved as a PDF, this can integrate nicely into businesses’ workflows without extensive infrastructure, training, or cost. The most important thing to keep in mind, however, is that it protects documents when they are in transit, at rest, and while being used. This is something neither file encryption nor Azure Rights Management (its read-only protection is easily bypassed) can achieve.