Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

How can I password protect my documents?

I keep a daily journal in Microsoft Works on Windows XP. Is there a
way to put a password on it, or lock it up somehow, so only I have
access to it?

There are several approaches to keeping your private data private.
Some good, some bad, and many in-between.

Let’s look at the list, from least to most secure.

Become a Patron of Ask Leo! and go ad-free!

I’ll start by suggesting that whatever you do, you regularly backup your uncompressed
document in a safe and secure place. Many of these techniques have no
recovery option should you lose your password, or should the file become corrupted
for some reason. As with all things: backup early, backup often.

Many applications allow you to password protect their native files. I’m
not sure about Works, to be honest, but programs like Word, Excel and others
allow you to specify a password on the document that you must specify in
order to open it. In Word, for example, you can set a password on your document
in the Tools menu, Options dialog, Security tab.

The problem with built-in password support, is that it’s typically not that
robust. Historically application-provided security has been relatively easy
to crack. I view it as the classic case of “keeping honest people honest”, but
not really a serious deterrent to a motivated hacker.

Many programs that create compressed archives also support password protection.
Check programs that create ZIP and other types of compressed files for options
relating to passwords. The approach here is to compress your document into,
say, a password protected ZIP file, and only uncompress it when you want to view
or modify it. Recompress it when you’re done, remembering to delete the uncompressed
version.

Sadly, most password protection in these compression utilities is also on a
par with that in the applications themselves. A dedicated hacker with enough time
and resources can probably get through the protection eventually.

“Choose a weak password and no technology
can keep someone from guessing it.”

The reason that applications and utilities above have less than industrial
strength protection is simply that password protection is just a feature added
on to an application that really exists for another purpose.

The next level up, of course, are utilities that are intended specifically
for security.

My favorite for exactly the scenario you describe is a Windows
utility called TrueCrypt. TrueCrypt
allows you to create a highly encrypted file that appears as a virtual disk
drive on your system. You can copy any files on to that “drive” and they are
automatically encrypted. The file containing the virtual drive can be copied
to any machine, but you must specify the password in order to mount the drive
and view its contents.

TrueCrypt is ideal if you travel and need to carry sensitive data with you. I cover it in a little more detail in the article
How can I keep data on my laptop secure?.

So far everything I’ve covered is password based, and therefore highly
dependant on the password you choose. Choose a weak password and no technology
can keep someone from guessing it.

Another approach is to use public key encryption. Using a utility such as
GPG (Gnu Privacy Guard), you can create public and private keys, and encrypt
your files with a public key such that they can only be decrypted by someone holding the matching
private key. This is industrial strength encryption, but might perhaps be overkill
for common use. It’s one approach to encrypting email messages, for example, and
I cover it in a little more detail in How do I send encrypted email?.

As you can see there are several approaches. If this is just a lightweight situation
it’s possible that application password support may be enough. In general, though, my
recommendation for both security and convenience, remains TrueCrypt.

Do this:

Subscribe to Confident Computing! More confidence & less frustration -- solutions, answers, & tips -- in your inbox every week.

I'll see you there!

9 comments on “How can I password protect my documents?”

  1. Yeah, as Leo already said, there are several approaches and many different programs to use to keep a private data safe.

    My favorite text-encrypter program is LockNote: http://locknote.steganos.com (SF-link: http://sourceforge.net/projects/locknote, download it here: http://www.steganos.com/LockNote.exe), which saves the encrypted text into an .exe file itself, and thus makes it “portable”, which means that there is no need for this program to be residing on other computers, the user just needs a password to see the contents. while the other one is Ciphrtxt: http://www.roadkil.net/ciphrtxt.html program (download it here: http://www.roadkil.net/downloads/ciphrtxt.zip), a similar application that encrypts text of any size, however, this one doesn’t store it in any dedicated file, but you just need to copy it into a Notepad for instance and save it. Next time, you just need to copy this text back to the Ciphrtxt’s UI and decrypt it with a previously choosen password …

    Well, and there is yet another program similar to LockNote mentioned above; this one is called fSekrit[: http://www.donationcoder.com/Software/Other/fSekrit, also a portable/non-setup-required application which same as LockNote “generates” portable .exes that contain encrypted text, however, it is totally smaller in size (fSekrit’s 39.0 KB compare to LockNote’s 296 KB), and there are few other advantages too.

    And finally, there is a free version of Cryptainer called Cryptainer LE: http://www.cypherix.com/cryptainerle/index.htm (I use the paid-for version Cryptainer PE); this one creates an encrypted container/vault which functions like any other drive (C: or D:) on your computer. You just need to drag and drop any file into the container (in Explorer or in Cryptainer’s GUI), which is then automatically encrypted. Cryptainer files can only be viewed, accessed, browsed or modified by the user who has the key to open it. At other times it remains invisible.

    P.S. There are also many others that I’ve tried so far (some that are able to “lock” files, or “hide” folders, others that encrypt single files etc.), but these ones mentioned above seem to be the best, at least for me personally.

    best regards,
    Ivan Tadej, Slovenia, Europe
    http://users.volja.net/tayiper/

    Reply
  2. Leo missed pointing out one of the biggest gotcha’s in the world of file encryption, and that is the built-in windows file encryption attribute. What looks like a great feature, and one that works great when employed by the unsuspecting newby, is in fact his/her worst nightmare just waiting to spoil the day. The encryption scheme is user based. Only the user who created the encrypted file can see it, and any one else not logged on as that user will not see the file (including the administrator.)

    Problems start when the user forgets his login, or crashes his OS and has to reinstall. The user profile changes and the user will no longer have access to the file. There are preventive measures… profile backups, some backup programs copy the file in decrypted form, and probably other safeguards, but who needs hidden gotcha’s like that.

    All good points. You’ll notice that Windows built-in file encryption was not one of my recommendations :-).

    – Leo
    12-Apr-2006
    Reply
  3. In response to Thomas post, is there anyway to open the encrypted file. I had to replace a motherboard and now cannot get teh OS to come up. I now have the harddrive hooked up to another computer.

    Reply
  4. I had password-protected “My Documents” all this while and recently my hard disk is corrupted. I’m trying to retrieve whatever i could by plugging in my hard disk into another working computer. However, i couldn’t access my documents cos it’s password protected. I have the password, but how do I access it?

    You didn’t say HOW you password protected it.

    If you used Windows, you may not be able to access it. You *might* be able to using a Linux boot disk.

    However if you encrypted it using Windows native encryption, you can only decrypt on the original system, and logged in as the original account that had encrypted it.

    – Leo
    01-Oct-2007
    Reply
  5. Minor point of clarification about TrueCrypt: It only offers protection when TrueCrypt is not running. That’s because the password is only needed to first “mount” the encrypted file blob. While TrueCrypt is running and your sensitive files are visible as a drive letter, it offers no protection.

    That’s true for any technique one might use to encrypt data. In order to actually use the data, it must be decrypted. While decrypted it’s …. well, decrypted.

    – Leo
    08-Apr-2009
    Reply
  6. One good way to “password protect” (i.e., encrypt) files is to use WinZip (available at http://www.winzip.com). Provided you’re smart enough to enable it (and not use the stupid “legacy” encryption method!), it uses AES, the Advanced Encryption Standard, which was privately developed under the sponsorship of the U.S. government and is a genuine “military-strength” cipher.

    WinZip is great for encryption because any encrypted file should really be compressed anyway, because this greatly enhances the encryption by helping to defeat cryptanalysis (compression disguises the original file’s natural characteristics).

    There are only two caveats I see with using WinZip and AES — one practical, and one paranoiac. In order, they are:

    1. DON’T, under any circumstances, forget your passphrase! There are no “backdoors” (at least, that we know of!) to WinZip, so if you lose your passphrase you have essentially lost your file!

    2. Because AES was developed under government auspices, there are those who suspect that the government must therefore necessarily have the key to it. Whether this is true or untrue, it would seem merely prudent not to trust to it anything that you would wish to keep from law enforcement. For that purpose, I’d recommend something like Blowfish, which has been extensively peer reviewed and which has remained secure and uncracked to this day, and into the invention and developement of which the government never once shoved it all-snuffing nose.

    Reply
  7. i created a folder named ‘con’ . now i wanna deletel it. how can i delete it ? i know these types of folders like con ,sys and etc. cant b created unless u know the trick . but we can only create it . how we delete is unknown 2 me .can anybody tell me ??

    Reply
  8. Great Article.
    Very thorough too.
    But, I think the MS Word Password protected document can be easily hacked by saving the password protected document as RTF.
    Thanks a ton for the valuable post

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.