Five reasons to stop using password-protected zip file email attachments: Why is it so dangerous?


: cloud , cloud backup , cloud storage , filebako , tsukaeru filebako

By blog Jan 29 2021


In November 2020, the Japanese government's Minister of Digital Transformation, Takuya Hirai, announced that the Cabinet Office would discontinue the use of password-protected zip file email attachments (PPAP) for security reasons.
In today’s article, we will provide an overview of PPAP, its problems, and safe alternatives.

What is PPAP?


PPAP refers to the process of sending an encrypted file (with password) attachment in an email and then sending the password to unzip the file in a second email. As a part of security measures, this method is used by many companies and organizations, as well as government agencies in Japan.
The abbreviation "PPAP" was coined by IT consultant, Akira Ootaishi, and comes from the following terms (*1):

  • P: Password-protected file is sent.

  • P: Password is sent separately.

  • A: Encryption (“angouka” in Japanese)

  • P: Protocol


Do other countries use PPAP, or is it only used in Japan?


While PPAP is a common security measure in Japanese companies, in fact, it is rarely seen overseas where password-protected zip files tend to be viewed suspiciously and treated as potential virus vectors.
It is not clear why PPAP has become so popular in Japan, but it seems to be one of the unique business practices that have developed in Japan.


The history of PPAP


PPAP is widely used in Japanese companies, and in many cases, its use is even an official company security policy.
The origins of this practice can be traced back to the early days when email was first used for business purposes, and this method of sending password-encrypted zipped files by email and then providing the password through another channel (fax, paper document, etc.) was developed as a security measure.

The above method was thought to be useful in becoming a Privacy Mark certified entity and spread rapidly in Japan. However, faxing or sending paper documents became too cumbersome, so it was gradually decided that passwords could also be sent by email, simplifying the method. As a result, the use of PPAP in Japan has remained unchanged to this day.


Why is PPAP dangerous? Why is it being abolished by the Japanese government?


As mentioned at the beginning of this article, the Cabinet Office has decided to abolish the use of PPAP. (*2) In response, the Japan Institute for Promotion of Digital Economy and Community (JIPDEC), which operates the Privacy Mark system, has also officially announced the organization has never endorsed PPAP. (*3)
However, why is PPAP considered dangerous, and why is there a growing trend to abolish it? Below are five reasons:


▼ Sending encrypted zip and password separately by email provides limited protection.


There is little point in sending a password-protected zip file and the password in separate emails if hackers can access the email system. If the first email with the attachment is accessible, the second email with the password will be equally compromised.


▼ Security software cannot detect viruses in attachments.


Currently, many security software programs automatically scan email attachments for viruses. However, if the attached file is zipped and encrypted, security software will not be able to check the contents. In other words, if the file contains a virus, it is likely to be delivered to your inbox undetected.



▼ Zip files encrypted with passwords are at high risk of compromise.


Passwords-encrypted zip files are considered in the industry to be relatively simple to crack. Unlike website logins, encrypted zip files are easy for cybercriminals to access because unlimited password attempts are allowed.


▼ Emails may be vulnerable to interception or access in transit.


Emails pass through multiple servers between the time it is sent and received by the final party. If any part of an email is not properly encrypted, an attacker can easily eavesdrop on the contents. Therefore, passwords written in plain text are extremely dangerous.


▼ Wasteful measures reduce work efficiency


The PPAP process requires a great deal of time and effort on both the part of the sender and the receiver. Multiple steps are necessary to create and send the encrypted file by the sender. The receiver has to access the PPAP system via the first email, then open the second email to copy and paste the password. This inefficiency can result in a decrease in productivity.


Alternatives to PPAP


Let us look at an alternative to PPAP for businesses to send and receive files securely.


▼ Cloud storage is the safest measure.


The most secure alternative to PPAP, and one that is actually used most often, is the use of cloud storage to send and receive files. With cloud storage, specifically, files are often shared in the way described below.
For this article, we will use our Tsukaeru Filebako cloud file sharing service (client version) as an example.



After installing the Tsukaeru Filebako desktop client, files can be easily shared in the familiar Explorer format.
The beta version, scheduled for an early 2021 release, will allow passwords to be added to public links directly from Explorer, without having to access the browser version (web version).
1.Right-click on the file name to share and then select “Create Public Link.”
2.The password can be directly entered in the pop-up window that appears.

The password-protected file can be easily shared by providing the recipient with the created link.
The ability to share files via URLs with cloud storage solves all of the potential PPAP problems. There is no need to encrypt the file each time they are sent or send multiple emails.

▼ 2FA (two-factor authentication) settings provide even greater security.

Recently, two-factor authentication has been increasingly implemented as a security measure to prevent identity theft and unauthorized logins. In the past, users were only authenticated with an ID and password when logging in. However, now, another level of authentication is being added to strengthen the identification process.
Of course, this two-factor authentication feature is also available with Tsukaeru Filebako.
To implement, select “Security” then “Two-Factor Authentication” from the settings screen, and choose between "Email Address" or "Application."


If email address authentication is chosen, recipients will receive by email the authentication code needed to log in.



▼ Tsukaeru Filebako provides reliable security.


When choosing a cloud storage service, robust security measures are extremely important. For this reason, we recommend Tsukaeru Filebako, the cloud storage service from Tsukaeru mentioned earlier.
Tsukaeru Filebako is a full security, cloud storage service that is hosted on its own servers in Japan and allows the setting of expiration dates for shared links and the remote deletion of device data. It can be installed on the same day, is easy to use even for beginners, and has an affordable and simple fee structure.
A two-week free trial is also available (completely free of charge with no need to sign a contract!). Please take advantage of this opportunity to try it out for yourself.
Click here for Tsukaeru Filebako details.
Sign up for a free Tsukaeru Filebako trial.
Contact us at Tsukaeru.

*1 Workplace Reform Starting with Changing the Habit of Attaching Files to Emails (PDF, Japan Institute for Promotion of Digital Economy and Community)
2* Automatic Encryption ZIP Files Discontinued by Cabinet Office; Cabinet Secretariat - Digital Minister: "Inappropriate" (Nihon Keizai Newspaper) 
*3 Sending files as email attachments (Japan Information Processing Development Corporation)

<< ブログHOMEへ