How to Password Protect ZIP Files That Stay Secure in 2026

Last updated: April 2026

I built Peony because I kept running into the same problem: people would ask me to "just send it as a password-protected ZIP," and I knew that what they were really asking for -- confidentiality, access control, an audit trail -- was something a ZIP file fundamentally cannot deliver. This guide is the honest version of what ZIP encryption can and cannot do, and what to use when you need more.

If you are searching for this, you are probably about to send real data: HR packs, customer exports, contracts, financials, tax folders, maybe a whole "project" directory that you don't want floating around in plain text.

And someone has said:

"Can you just send it as a password-protected ZIP?"

Totally reasonable ask. The problem is that a lot of "password-protected ZIPs" are fake security:

• Many tools still use ZipCrypto, an old ZIP 2.0 scheme that is widely documented as weak and vulnerable to known-plaintext attacks.
• Some OS features "compress" but do not encrypt at all.
• Even with AES, ZIP doesn't have modern password hashing, so short passwords are especially dangerous.

So your instinct -- "I want this to actually be secure, not just look secure" -- is exactly right.

Let's build a setup that is honest, cross-platform, and not painful for the people on the other side.

1. Why you need this (how ZIPs actually cause problems)

ZIPs show up in all types of workflows:

• HR: offer letters, payroll exports, ID scans.
• Finance / tax: bank exports, statements, full-year documents.
• Legal / deals: contracts, disclosure bundles, cap table snapshots.
• Customer work: CSVs, logs, reports, delivery assets.

The ways they leak are boring:

• You send an unencrypted ZIP thinking "at least it's in one file." Anyone who gets it can open it.
• You use default "password protection" that turns out to be ZipCrypto, which is considered broken and easily crackable with widely available tools.
• You send the ZIP and password in the same email, so anyone who gets the thread has everything they need.
• Once the recipient extracts the contents, files spread into Downloads, synced folders, backups -- you lose visibility completely without document analytics.

So yes, you should care. You just need to aim at the right target.

2. What "password protecting a ZIP" really has to do

Strictly speaking, a good setup needs to handle two separate jobs:

1. Protect the archive at rest.

   • Use real encryption, not just compression.
   • Prefer AES-256 over ZipCrypto; modern archivers like 7-Zip can create AES-encrypted ZIPs or 7z archives.
   • Assume the attacker can run password-guessing tools; this is why password length matters.

2. Accept the limits of the format.

   • Once someone has both the archive and the password, they can copy, extract, and forward everything. Screenshot protection and watermarking help deter this.
   • ZIP has no built-in revocation, no analytics, no expiry. Secure document sharing platforms provide access revocation and page-level analytics.
   • ZIP also lacks modern key-stretching; short passwords are extra weak even with AES.

That is why, whenever there is a real relationship (clients, investors, partners), a lot of people are moving to:

"Use ZIP for packaging; use a separate system for access control."

This is where Peony gives you a cleaner default.

3. How to do it with Peony (including passwords)

With Peony, you get two layers:

• A secure room around the ZIP (identity, revocation, analytics).
• An optional file-level password if someone insists on "we need a password to type in."

Step 1 -- Create a secure room for your bundle

First, prepare your ZIP however you like (it can be plain or already AES-encrypted):

• Example: client-x-2026-financials.zip

In Peony:

• Create a room, e.g. "Client X -- 2026 Financial Pack".
• Upload the ZIP file (and any related documents you might want to share later).

This room is now your "vault" for that bundle.

Step 2 -- Set who is allowed in

In the Peony room:

• Grant access only to specific email addresses or trusted domains (e.g. @client.com) using identity-bound access.
• Add passwords to Peony rooms for an additional layer of protection -- you can require both identity verification and a password.
• For external parties, set view/download permissions according to need:
  • If they must receive the ZIP file: allow downloads but keep access restricted.
  • If they only need to see contents you've previewed: keep them view-only.

Already, you have something better than a shared ZIP password: identity-based access.

Step 3 -- Add a Peony passcode for the file/link

On top of identity, you can:

• Add a passcode to the shared Peony link or file.
• Recipients must both:
  1. Reach the Peony link, and
  2. Enter the passcode to view or download.

This achieves the "we want a password gate" requirement without relying on fragile ZipCrypto, and it keeps all crypto and keys on the Peony side rather than inside a brittle archive format.

You can share this passcode out-of-band (SMS, call), just like you would with a ZIP password -- but now, even if the ZIP itself is not encrypted, it is never served without that gate.

Step 4 -- Share one secure link instead of a raw attachment

In your email:

"Here's a secure link to the ZIP. It's behind a passcode so we keep access under proper control on our side."

Drop the Peony link rather than attaching the archive.

You can:

• Replace or update the ZIP without changing the link.
• Disable the link or pull access entirely using access management once the work is done.

Step 5 -- Use analytics and revocation

Because everything flows through Peony, you can with page-level analytics:

• You see who accessed and downloaded the ZIP.
• You see when they accessed it and how long they viewed it.
• You can revoke specific users, domains, or the whole room using access management.

That is everything people secretly want ZIP passwords to do -- but the ZIP format itself cannot.

4. Other methods if you can't use Peony

If you truly must hand over a self-contained, password-protected ZIP file, here is the honest cross-platform picture.

Windows

• The built-in "Send to Compressed (zipped) folder" does not encrypt; it just compresses.
• To get real encryption:
  • Use 7-Zip and choose:
    • Format: zip or better 7z
    • Encryption: AES-256 (not ZipCrypto)

macOS

• Finder's "Compress" with Terminal zip -er uses legacy ZIP encryption (ZipCrypto), which is considered weak.
• For better security:
  • Use a tool like Keka or another 7-Zip-compatible archiver. Keka supports AES-256 for 7z archives and legacy ZIP 2.0 for .zip.
  • If the other side can install 7-Zip/compatible tools, prefer 7z + AES-256.

Linux / CLI

• zip -er file.zip folder/ uses traditional ZIPCrypto encryption -- again, weak.

• Install p7zip and use:

  7z a -t7z -p -mhe=on secure.7z folder/
  

  for AES-256-encrypted 7z archives.

In all of these, security rests heavily on the password quality.

---

5. Practical setup tips (so this becomes a calm habit)

A few simple rules will put you in the top tier of "people who actually do this right":

1. Use long passphrases, not cute 8-char strings. NIST's more recent guidance leans toward 12 to 16 characters or more and treats length as the main defense.

2. Never send file and password in the same channel. Email the ZIP (or Peony link), text or call the passcode.

3. Prefer AES-256 or 7z over ZipCrypto. Legacy ZIPCrypto is explicitly described as broken and easy to crack; use it only when compatibility absolutely forces you.

4. Keep a clean original and clean up after. Store your unencrypted source in a safe place; delete stray encrypted copies once they are no longer needed, and revoke Peony access using access management when a project ends.

5. Default mindset:

   • ZIP (or 7z) = "protect at rest."
   • Peony = "control who can get it, when, and how."

You don't have to become a crypto engineer. If you:

• Use Peony rooms + link passcodes for sharing,
• Use AES-based archives only when you truly need a "standalone" encrypted file, and
• Follow sane password hygiene,

then "password protecting ZIP files" stops being a vague anxiety and becomes a straightforward, boring, reliable part of how you move sensitive bundles around.

Frequently Asked Questions

I need to send our accountant a ZIP of last year's financials -- is ZipCrypto encryption actually secure?

No. ZipCrypto is a legacy ZIP 2.0 scheme that is widely documented as vulnerable to known-plaintext attacks. Anyone with basic tooling can crack it in minutes. If you must use a standalone archive, switch to 7-Zip or Keka and select AES-256 encryption with a passphrase of 14 characters or more. For recurring exchanges like monthly financials, Peony lets you share through an identity-verified link with page-level analytics, so you can see exactly which pages your accountant reviewed and when.

Our legal team insists on a password-protected ZIP for the closing documents. How long does the password really need to be?

NIST guidance recommends 12 to 16 characters minimum, and longer is better because ZIP archives lack modern key-stretching. A 20-character passphrase built from random words is both strong and easy to share over a phone call. Never send the password in the same email as the file. If your legal team needs audit-grade delivery, Peony adds dynamic watermarks stamped with each viewer's identity, so any leaked screenshot traces directly back to the person who took it.

I zipped a folder on my Mac using Finder's Compress and set a password in Terminal. Is that AES-256?

No. The macOS Terminal command zip -er uses legacy ZipCrypto, not AES-256. Finder's built-in Compress does not encrypt at all. For real encryption on macOS, use Keka and choose the 7z format with AES-256. If you are sharing the archive externally rather than just storing it locally, Peony's NDA gate lets you require recipients to sign a non-disclosure agreement before they can even view the file list.

We sent a password-protected ZIP to a client last week and now we want to revoke access. Is that possible?

Not with a ZIP file. Once someone has the archive and the password, the contents are theirs permanently. There is no built-in revocation, expiry, or access log in the ZIP format. This is the core limitation. Peony solves it because files live behind a managed link: you can revoke a specific user, an entire domain, or the whole room at any time, and access stops immediately.

My startup co-founder wants to share our cap table ZIP with three angel investors but track who actually opens it. Can a ZIP do that?

ZIP files have zero tracking capability. You will never know whether an investor opened the archive, skipped it, or forwarded it to someone else. Peony's page-level analytics show exactly who accessed each document, how long they spent on every page, and whether they downloaded anything. For a cap table share, that visibility can tell you which investors are genuinely engaged before your next follow-up.

Is there a way to password protect a ZIP on Windows without installing anything?

The built-in Windows "Send to Compressed (zipped) folder" feature compresses files but does not encrypt them at all. You need a third-party tool. 7-Zip is free, open-source, and supports AES-256 for both .zip and .7z formats. After installing, right-click your folder, choose 7-Zip, select Add to Archive, set the encryption method to AES-256, and enter a strong passphrase. If you want to skip passwords entirely and control access through identity verification instead, Peony's screenshot protection blocks and logs any capture attempts so your documents stay contained.

I'm packaging due diligence files into a ZIP for our M&A advisor. Should I encrypt the ZIP and also use a secure sharing platform?

Yes, layering is the right instinct. Encrypt the archive with AES-256 as your at-rest protection, then share it through a platform that handles access control. The archive protects the file if it ever lands on an uncontrolled device; the platform protects it during transit and gives you governance. Peony's AI auto-indexing will organize and tag your uploaded documents automatically, which saves hours when an advisor needs to find a specific contract in a 200-file bundle.

Can I update the files inside a password-protected ZIP after I've already shared the link with someone?

With a traditional ZIP, no. You have to create a new archive, re-encrypt it, and send a new file, which means the recipient now has two versions and you have no control over the old one. Peony lets you replace or add files behind the same secure link. Recipients always see the latest version, and you can set the room to require e-signatures on updated documents so you have a clear record of who acknowledged the new materials.

Related Resources

• How to Password Protect Multiple PDFs at Once
• How to Password Protect Files on Mac
• How to Password Protect PDF Without Adobe
• How to Password Protect Excel Files
• How to Send Confidential Documents via Email
• Document Security Software
• Secure File Sharing Guide
• 7-Zip Official Site
• Keka for macOS