ZIP file encryption is one of the most commonly used methods for protecting files before sending them via email or storing them on shared drives. But how secure is ZIP encryption really? The answer depends entirely on which method you are using.
Two types of ZIP encryption
ZIP files support two encryption methods, and the difference between them is enormous:
ZipCrypto (Legacy) – The original ZIP encryption from the early 1990s. This is fundamentally broken. Known-plaintext attacks can crack ZipCrypto in minutes if the attacker has any partial knowledge of the file contents (such as file headers for common formats like JPEG, PDF, or Office documents). If you are using ZipCrypto, you might as well not be encrypting at all.
AES-256 – Modern ZIP files encrypted with AES-256 (supported by 7-Zip, WinZip, and most modern tools) provide strong encryption. AES-256 is the same algorithm used by governments for classified information. With a strong password, AES-256 encrypted ZIP files are practically unbreakable.
The password problem
Even with AES-256, your ZIP encryption is only as strong as your password. A four-character password can be brute-forced in seconds. An eight-character password using only lowercase letters falls in hours. A truly strong password needs to be at least 12 characters with a mix of upper, lower, numbers, and symbols – or better yet, a passphrase.
What ZIP encryption does NOT protect
An important limitation: standard ZIP encryption protects file contents but not file names. Anyone can open the ZIP and see the names of the files inside, even without the password. This can be a significant information disclosure. Use 7-Zip’s 7z format with the “encrypt file names” option if file names are sensitive.
Best practices
- Always use AES-256 encryption, never ZipCrypto
- Use passwords of at least 16 characters or passphrases
- Send the password through a different channel than the ZIP file
- Consider 7z format if file names need protection
- For truly sensitive data, use purpose-built encryption tools like GPG or VeraCrypt rather than ZIP encryption
ZIP encryption with AES-256 and a strong password is adequate for general business use. For anything handling regulated data or truly sensitive information, look at more robust solutions.