How to Password Protect a ZIP File With Strong Encryption
The default password protection in most ZIP tools is mathematically broken — and most users never notice. Putting a password on a ZIP feels like you have secured the file, but if you used Windows Explorer's built-in compression or the default settings of older tools, the archive can be cracked in minutes on a modern laptop.
This guide explains how to password protect a ZIP file properly, using AES-256 encryption that actually resists attack. The free tools take three minutes to install and the encryption is the same standard used by banks and government agencies. The hard part is just knowing which checkbox to tick.
Key Takeaways
- Use AES-256, not ZipCrypto. The default ZIP encryption is broken — always select AES-256 in the encryption dropdown.
- Best free option: 7-Zip with .7z format (encrypts file names too, not just contents)
- Password length matters more than complexity. Twelve random characters beats eight clever ones.
- Save the password before encrypting. AES-256 has no recovery — forgotten means gone forever.
Why the Encryption Standard Matters
When you click "Add password" in a ZIP tool, you might assume any encryption is better than none. That assumption used to be reasonable. It is not anymore. ZIP files support two encryption methods:
- ZipCrypto (legacy): The original encryption from 1989. Fast but mathematically broken. Should never be used for content you actually want to protect.
- AES-256 (modern): The same encryption used by financial institutions and government secrecy systems. With a strong password, an AES-256 archive is practically uncrackable with current technology.
Most ZIP tools default to ZipCrypto for compatibility reasons — every ZIP reader from 1990 onward can open it. AES-256 requires a more modern tool to extract. For genuine protection, the right move is to use AES-256 and accept that your recipient may need a current tool (like free 7-Zip or PeaZip) to open the archive.
When ZIP Password Protection Actually Helps
Strong ZIP encryption is genuinely useful in several specific situations:
- Emailing sensitive documents — tax returns, contracts, scanned IDs — through a service you do not fully trust
- Backing up personal records to cloud storage where you want the cloud provider unable to read the contents
- Shipping client deliverables through file transfer services that lack built-in encryption
- Storing financial records on USB drives that might be lost or stolen
It does not replace dedicated secure file transfer (Tresorit, ProtonDrive) or password-managed sharing — but for one-off needs to send a sensitive ZIP through standard channels, it is the right tool.
The Best Options Compared
1. 7-Zip on Windows — the free standard
7-Zip is the default answer for Windows users who want strong ZIP encryption without paying. Right-click any file or folder, choose 7-Zip → Add to archive, set the format to either .7z or .zip, enter a password in the Encryption section on the right side of the dialog, and crucially — change the Encryption method dropdown from ZipCrypto to AES-256.
The .7z format has a meaningful advantage over encrypted .zip: it encrypts file names too. With an encrypted ZIP, anyone who intercepts the file can see what is inside (file names like "tax_return_2025.pdf" leak the content type). With an encrypted 7z, even the file list is hidden until the password is entered.
Pros
- Free, open-source, no ads or nag screens
- AES-256 in both .zip and .7z formats
- .7z format encrypts file names (.zip does not)
- Integrates with Windows right-click menu
- Auditable encryption implementation
Cons
- Recipients need 7-Zip or equivalent to open .7z files
- Interface looks dated
- Easy to miss the AES-256 dropdown (defaults to ZipCrypto)
2. PeaZip — cross-platform with multiple ciphers
PeaZip offers more encryption choices than 7-Zip, including the option to chain multiple ciphers (AES-256 + Twofish + Serpent) for users who want belt-and-suspenders protection. For 99% of users this is unnecessary — AES-256 alone is enough — but PeaZip's interface makes the encryption settings more visible and harder to skip.
PeaZip also includes a built-in password generator and a file shredder for securely deleting the unencrypted original after creating the protected archive. Both are useful features that 7-Zip lacks.
Pros
- Multiple cipher options (AES-256, Twofish, Serpent)
- Built-in password generator
- File shredder for secure deletion of originals
- Cross-platform (Windows + Linux)
- More obvious encryption settings than 7-Zip
Cons
- Heavier interface than 7-Zip (~15 MB)
- No native macOS build
- Multi-cipher chaining is overkill for most users
3. WinRAR — if you need RAR5 format
WinRAR creates RAR5 archives with AES-256 encryption and optional "recovery records" that let damaged archives still extract. For sensitive backups stored on physical media (USB drives, external hard disks), the recovery records are meaningful — a single bad sector on the drive will not destroy the entire archive.
WinRAR can also create encrypted ZIPs with AES-256 if you specifically need ZIP format. For ZIP creation specifically, 7-Zip is the cleaner free choice; WinRAR's value is when you want RAR-format archives with recovery features.
Pros
- Recovery records protect against media corruption
- AES-256 in both RAR5 and ZIP formats
- Made by the original RAR developers
- Cross-platform support
Cons
- Paid software (nag screen after trial)
- RAR5 format is less universal than ZIP
- Overkill if you only need encrypted ZIPs (use 7-Zip instead)
4. macOS Terminal — built-in but weak
macOS has a built-in zip command that supports basic password protection: open Terminal, navigate to the folder, and run zip -e archive.zip file1.txt file2.txt. It prompts for the password, then creates an encrypted ZIP. The whole process takes 30 seconds and requires no install.
The catch: macOS's built-in zip uses the weak ZipCrypto encryption, which can be cracked. This is fine for casual privacy ("hide this from my family") but inadequate for sensitive content. For real protection on Mac, install free Keka from the App Store and use its AES-256 option.
Pros
- No install — built into macOS
- Scriptable for batch operations
- Universally compatible ZIP output
Cons
- Uses ZipCrypto (weak encryption)
- Not suitable for sensitive documents
- Command-line only — no GUI
Side-by-Side Comparison
| Tool | Encryption | File Name Hidden? | Cost |
|---|---|---|---|
| 7-Zip (.7z) | AES-256 | Yes | Free |
| 7-Zip (.zip) | AES-256 | No | Free |
| PeaZip (.7z) | AES-256, Twofish, Serpent | Yes | Free |
| WinRAR (.rar) | AES-256 + recovery records | Yes | $29 (nag after trial) |
| macOS Terminal zip | ZipCrypto (weak) | No | Free (built-in) |
| Windows Explorer | None at all | N/A | Free (built-in) |
Step-by-Step: Password Protect a ZIP With 7-Zip
- Install 7-Zip from 7-zip.org (Windows) — about 2 MB, takes under a minute.
- Select the files you want to protect in File Explorer. Right-click the selection.
- Choose 7-Zip → Add to archive from the context menu. A dialog opens.
- Set Archive format to 7z (recommended for stronger protection including file name hiding) or zip (for maximum compatibility).
- Enter your password in the Encryption section on the right side of the dialog. Use 12+ characters with mixed types.
- Change Encryption method to AES-256 in the dropdown (if you chose .zip format). For .7z, AES-256 is automatic.
- Tick "Encrypt file names" if you chose .7z format. This hides the list of files inside until the password is entered.
- Click OK. 7-Zip creates the encrypted archive in the same folder as your source files.
- Verify it worked. Double-click the new archive — it should prompt for the password before showing any file names. If file names appear without a password prompt, encryption did not apply.
Picking by Use Case
Sending a tax return or contract by email
Use 7-Zip with .zip format and AES-256. ZIP is universally openable, AES-256 is genuinely secure, and you can share the password through a separate channel (text message, phone call) for additional security.
Backing up personal records to cloud storage
Use 7-Zip with .7z format and AES-256 plus encrypted file names. The cloud provider sees an opaque blob, not even your file names. Strong AES-256 means the encryption survives even if the cloud provider is compromised.
Shipping client deliverables on a USB drive
Use WinRAR with RAR5 format, AES-256, and recovery records enabled. The recovery records protect against media corruption — a single bad sector will not lose the whole archive.
Hiding casual files from family on a shared Mac
Built-in Terminal zip is fine. ZipCrypto is weak in cryptographic terms but holds up against casual snooping. For anything more sensitive, install Keka or PeaZip.
Common Mistakes to Avoid
Using Windows Explorer's built-in ZIP compression: It has no password option at all. Many users think their ZIP is encrypted when they put it in a password-protected folder; the ZIP itself is not protected. Always use a third-party tool.
Picking the default encryption method: 7-Zip defaults to ZipCrypto when creating .zip files. You must manually change the dropdown to AES-256. This single click is the difference between unbreakable and crackable-in-minutes.
Using a short password: An 8-character password with AES-256 can still be cracked through brute force given enough time. Use 12+ characters minimum, and ideally 16+ for genuinely sensitive content.
Storing the password in the same email as the ZIP: Defeats the purpose. Send the file through one channel, the password through a different one.
Forgetting that file names leak in ZIP format: Encrypted ZIP files reveal the names of files inside even without the password. For genuine privacy, use the .7z format with "Encrypt file names" enabled.
Frequently Asked Questions
What is the strongest free way to password protect a ZIP file?
7-Zip with AES-256 encryption in the .7z format. It protects both file contents and file names, uses modern encryption, and is open-source.
Is default ZIP password protection secure?
No. The default ZipCrypto encryption is mathematically broken and can be cracked in minutes on a modern computer. Always select AES-256 instead.
Can I password protect a ZIP file on Mac without installing software?
Yes — use Terminal: zip -e archive.zip file1.txt. But this uses weak ZipCrypto. For real protection on Mac, install Keka or PeaZip and use AES-256.
What happens if I forget the password?
With AES-256, the archive is unrecoverable. There is no recovery service, no backdoor, no support. Always save passwords in a password manager before encrypting.
Should I use ZIP or 7z format for encryption?
Use 7z if your recipient has a 7z-capable tool. 7z encrypts file names too, while encrypted ZIPs leak the file list. Use ZIP only when maximum compatibility is required.
The Verdict
For most users, the answer is simple: install 7-Zip, create archives with .7z format and AES-256, and enable "Encrypt file names" for genuinely sensitive content. The whole workflow takes three minutes and gives you the same encryption strength used by banks. The only ongoing discipline needed is saving the password in a password manager before you create the archive.
For background on archive formats, see our ZIP vs 7z vs RAR comparison and our full 7-Zip review. For an external reference, the official 7z format documentation covers the technical details of how AES-256 is applied.
Next step: install 7-Zip from the official site, create a test archive with a real password, and verify the encryption by trying to open it. Once the workflow is familiar, applying it to actual sensitive files takes 30 seconds.