Hands typing password on keyboard. Text on screen: Password with hidden asterisks
How to Securely Password Protect Files and Drives

Many professionals, from doctors to attorneys to businesspeople, use password protection for .pdf or .xls files that they email to others, assuming the files are sufficiently protected from intruding eyes. However, regular password protection is less comprehensive than people think. There are better methods of securely password protecting files and drives.

At a basic level, password protection without encryption of the physical data is useless, as it’s an easily bypassed security method. When security professionals discuss password protection, it’s typically as the method for accessing the data only. The data will usually have its own physical protection against hacking: either software or hardware encryption.

We will explore the difference between password protection based upon software encryption or upon hardware-based encryption, such as on a hardware-encrypted USB or external drive.

There are significant differences between software encryption-based password protection and hardware-based encryption Encryption is an essential tool for protecting user data with a unique password, but are hardware-encrypted drives better at protecting your private data than software-encrypted files or drives? What’s the most effective way to protect, for example, your personal accounting in the run-up to tax season from theft, loss, or hacking?

Password-protected files

Kingston IronKey USBs laying flat on a dark backdrop.

Many applications (such as MS Word, Excel, Adobe Acrobat, etc.) provide the option to create “password-protected” files. Applications will implement some form of software encryption on the files to physically protect the data. On occasion, the level of encryption is not specified, so users are unaware what mechanism is used on the actual data itself, beyond the added password protection. Windows also offers BitLocker software encryption capable of encrypting either drives or files on computer drives. The latest BitLocker versions support state-of-the-art Advanced Encryption Standard (AES) 256-bit in XTS mode, which is the standard you should insist upon.

BitLocker is one example of a software tool that provides software encryption by encrypting data and locking it behind a password gate. With the encryption in place, file data is scrambled by an algorithm (AES is one example) as it’s written to the drive. When a user inputs the right password, the data is unscrambled as it’s read from the drive.

Developers like software encryption because it’s inexpensive to implement, needs no specialist hardware, and has encryption software, which is easily licensable if needed. With these benefits, though, comes the downside: If a user’s password is compromised by hackers who can sniff a computer’s memory for the password or encryption and drive recovery keys, the encryption’s benefit is negated. Another issue is that software encryption requires your computer’s processing power to operate. If a user opens or closes large, encrypted files like images or videos, it can influence system performance.

Software encryption can be suitable for users for whom data security is an afterthought, or a ‘nice-to-have’. In those cases, the software encryption tools available to password-protect files should be good enough for your computer, emails, or cloud account.

However, software encryption does not limit password guessing, also known as Brute Force or Dictionary attacks, where a hacker uses a process of elimination and automated tools to break passwords. The internet has many tools to remove passwords on many kinds of files and decrypt their data. With most passwords today about 8 characters long, high-performance computers can guess over a billion passwords per second, meaning many software encrypted files can be quickly unlocked, their data compromised. Experts recommend that people move to passwords at least 12 characters long, to slow down hackers attacking software encryption.

The solution is to use hardware-encrypted USB and external SSDs to secure your data. They protect against Brute Force attacks with the best AES 256-bit encryption in XTS mode. You can also make Brute Force attacks less effective with complex passwords longer than 12-16 characters, or passphrases of multiple words, with a total length exceeding 12 characters.

Hardware encryption

A laptop with a USB drive inserted. The screen shows a password entry window.

Hardware encryption is powered by a separate secure microprocessor dedicated to user authentication and data encryption, unlike software encryption. People consider it more secure because its processes are separate from the rest of the computer, and therefore exponentially harder to intercept or attack. This degree of separation for the processor means the encryption processes are also much faster, as a hardware-encrypted device handles all data processing.

Hardware-encrypted drives are more expensive than software encryption options, as they contain advanced components, more sophisticated technology, and are designed from the ground up as data protection devices (unlike unencrypted alternatives). Typical USB devices are simple storage devices with no security measures, while hardware-encrypted drives are built solely to protect data, like an insurance policy against drive theft or loss.

Companies in compliance with privacy laws and regulations (e.g. HIPAA, GDPR, CCPA among others) can find the legal costs of a breach caused by a standard USB drive loss or theft to be many orders of magnitude more expensive than the costs of a hardware-encrypted drive. The impact of increasing data breaches worldwide is driving up costs and requires stronger data protection.

It ultimately comes down to what price you put on your most sensitive personal data.

Benefits of hardware-based encryption

A lock and key on a laptop, the symbol of a closed lock and circuitboard connections superimposed.

There are multiple reasons to recommend hardware-based encryption:

  • Harder to attack: Drives like those in the Kingston IronKey line are designed to be resistant to hacker attacks, unlike software encryption options. They have additional protections against methods like Brute Force password attacks. Hardware-based encryption can count total password attempts, ultimately crypto-erasing the drive after a certain number. Cybercriminals tend to prioritize hacking software-based solutions, as lower-hanging fruit.
  • Physically and digitally resilient: Hardware-encrypted drives with military-grade security as defined by the NIST FIPS 140-3 Level 3 standard for the United States government have added protections against physical tampering. They use epoxy to form a protective seal around a drive’s internal components, making them more resilient against physical attacks. The best-in-class IronKey D500S and IronKey Keypad 200 Series with FIPS 140-3 Level 3 (pending) certification are epoxy-filled inside the casing, incorporating various defenses against attacks. These defense mechanisms, including shutting down when excessive temperatures or voltages are reached, power-on self-testing to detect anomalies and shut down if positive, and other penetration-testing defenses, are mandated by the FIPS 140-3 Level 3 standard.

    For a drive to receive FIPS 140-3 Level 3 certification, drives must undergo the best third-party validation in the computer industry: being thoroughly reviewed and tested by a NIST-certified lab. NIST is responsible for the AES 256-bit encryption used by US government agencies. FIPS 140-3 Level 3 certification can take years to achieve and represents a trustworthy stamp of approval for customers, signaling a product that’s extremely resilient to attacks and helpful in regulatory compliance.
  • Portable: While you might not always be able to transport a desktop or laptop computer, hardware-encrypted USBs or external SSDs are easy to carry everywhere. No need to risk emailing financial documents to an accountant or attorney or storing sensitive data on the cloud – you can keep private data off the grid, securely in your possession. An external drive like the IronKey Vault Privacy 80ES gives you the option of backing up as much as 8TB of data away from the Internet in a location you control.
  • Compliance with Laws and Regulations: Data encryption is a requirement in many contexts. For example, HIPAA in US healthcare, GDPR in the European Union, and more besides. Kingston IronKey drives can help with compliance since data on them is always encrypted. Complex password/passphrase authentication gates access to the drive (Kingston IronKey drives support passphrases of up to 64 characters, and 128 for the D500S). Brute Force attack protection counters penetration attacks, and if password hacking is attempted, the drive can wipe its data and reset to factory state.

Recovering data


Someone types on a laptop. File structure graphics are superimposed.

Data recovery is another point of distinction for hardware- and software-based encryption tech. Microsoft BitLocker has a Recovery Key to be printed or saved for later use. Kingston IronKey drives offer a multi-password option so that the drive can be accessed if one or more passwords are lost.

With ransomware attacks rising, regular backups are critical to data recovery. For all encryption choices, the best solution is a 3-2-1 backup strategy. Make 3 copies of the data, 2 different media or drives in case of single drive failure or corruption, store 1 drive in a different location. For backups, the IronKey VP80ES is a good solution, ranging from 1TB to 8TB in capacity. Most IronKey USB drives go up to 512GB.

Cloud-based backups are used by some, but risk exposure to breaches associated with cloud storage, and other security issues. Cloud data storage is essentially storing your data on someone else’s computer. If the cloud backup isn’t accessible when needed, your data recovery and resumption of business activity could be delayed. Cloud providers have been reported to be hit by ransomware attacks too, which can delay a user’s access to their data. Hardware-encrypted solutions offer more robust and comprehensive data protection than software-based options, for true “password protection” of essential files. Ultimately, it comes down to the value you place on your documents and how much protection you require.

#KingstonIsWithYou #KingstonIronKey

Related Videos

Related Articles