Two Ways to Password Protect Files
When you add a password to a shared file, you are adding a gate between the download link and the actual file. But not all password protection is created equal. There are two fundamentally different approaches and the difference matters more than most people realize.
The first approach is server-side password protection. The second is end-to-end encryption with a password. They look similar to the user but they work very differently under the hood. This guide covers both, explains when to use each and walks through the steps on EasySend.
Approach 1: Server-Side Access Password
How It Works
A server-side password acts as a gate. When someone clicks your download link, the server asks for a password before allowing the download. The file itself is stored on the server in a readable format (or encrypted with a key the server controls). The password simply controls who can access the download page.
Think of it like a locked front door. The door keeps strangers out, but the homeowner (the server) can still walk around inside the house whenever they want.
What It Protects Against
- Accidental link sharing - if someone finds or guesses the download link, they still need the password
- Casual snooping - prevents unauthorized people from downloading if they stumble on the link
- Link forwarding - if a recipient forwards the link, the new person cannot download without the password
What It Does Not Protect Against
- Server breaches - the file is stored unencrypted (or with server-held keys), so a breach exposes the actual file
- Insider access - employees of the hosting company can read the file
- Legal requests - the company can hand over the readable file in response to a subpoena
- File scanning - the server can scan and analyze the file contents
Server-side passwords are adequate for non-sensitive files where you just want basic access control. Think of sharing a presentation with your team or distributing event photos. The content is not secret but you want some control over who downloads it.
Approach 2: End-to-End Encryption with Password
How It Works
With E2E encryption, the password is not just a gate. It is the key. Your browser uses the password to derive a cryptographic key (using PBKDF2 with hundreds of thousands of iterations) and then encrypts the file with AES-256-GCM before uploading it. The server stores only the encrypted blob. It never sees the password or the original file.
When the recipient enters the password, their browser derives the same key and decrypts the file locally. The server is just a dumb pipe that moves encrypted data around. Learn more about how this works on the encryption explained page.
What It Protects Against
- Everything from Approach 1 plus:
- Server breaches - a breach exposes only encrypted blobs that are useless without the password
- Insider access - no employee at the hosting company can read the file
- Legal requests - the company can only hand over encrypted data, not the readable file
- File scanning - the server cannot scan what it cannot decrypt
What It Does Not Protect Against
- Weak passwords - a password like "1234" can be brute-forced regardless of the encryption
- Sharing the password alongside the link - if both travel in the same message, an interceptor gets everything
- Compromised devices - malware on the sender's or recipient's device can capture the file after decryption
Comparison Table
| Feature | Server-Side Password | E2E Encryption |
|---|---|---|
| Blocks unauthorized downloads | Yes | Yes |
| Server can read file | Yes | No |
| Survives server breach | No | Yes |
| Setup complexity | Very easy | Easy (one toggle) |
| Best for | Casual access control | Sensitive data |
How to Password Protect Files on EasySend
Option A: Server-Side Password (Quick Access Control)
- Go to easysend.co
- Drop your files into the upload area
- After upload completes, find the password protection option
- Enter a password
- Share the download link with your recipient
- Tell them the password (ideally through a different channel than the link)
This is the fastest option when you need basic access control but the file contents are not highly sensitive.
Option B: E2E Encrypted Password (True Protection)
- Go to easysend.co
- Toggle the encryption switch on before uploading
- Enter a strong password (12+ characters with mixed case and numbers)
- Drop your files. The browser encrypts each file locally before upload.
- Share the download link through one channel (email, Slack, etc.)
- Share the password through a different channel (text message, phone call, in person)
The two-channel approach is important. If you send the link and password in the same email, anyone who compromises that email gets both. Splitting them across channels means an attacker must compromise two separate systems. Read more about this practice in the secure file sharing guide.
Choosing a Strong Password
The encryption is only as strong as the password you choose. Here are practical guidelines:
- Length matters most - a 16-character password with only lowercase letters is stronger than an 8-character password with symbols
- Use a passphrase - four or five random words like "correct horse battery staple" are easy to remember and hard to crack
- Avoid personal info - no birthdays, pet names or addresses
- Do not reuse passwords - if you use the same password for every encrypted file and it leaks once, every file is compromised
- Use a password manager - tools like Bitwarden or 1Password generate and store strong passwords
With PBKDF2 key derivation using 600,000 iterations, even a modest password becomes extremely expensive to brute force. But "expensive" is not "impossible." A strong password puts you well into the "not worth attacking" territory.
Business Use Cases
Legal Documents
Law firms regularly share contracts, discovery documents and privileged communications. These files require confidentiality by law. E2E encryption ensures that even if the file sharing service is subpoenaed, they cannot produce the readable documents. Share the link via email, call the client with the password.
Financial Records
Accountants sharing tax returns, financial statements and payroll data need to protect against both unauthorized access and server-side exposure. E2E encryption satisfies compliance requirements for data protection without complex enterprise software.
Healthcare Data
Patient records and medical images fall under strict privacy regulations. Zero-knowledge encryption means the file sharing service never processes or stores readable health data. This simplifies compliance because the service provider is never a "data processor" of the actual content.
HR and Recruitment
Resumes, offer letters, performance reviews and salary information are highly sensitive. A server-side password is insufficient because a breach would expose this data. E2E encryption ensures that even internal IT staff at the hosting provider cannot access personnel files.
Internal Team Sharing
For sharing internal presentations, design files or meeting notes that are not confidential but should not be publicly accessible, a server-side password is usually sufficient. It prevents accidental leaks without the extra step of managing encryption passwords.
Common Mistakes to Avoid
- Sending the link and password in the same message - this defeats the purpose. Use separate channels.
- Using "password" as the password - attackers try common passwords first. Always.
- Forgetting to tell the recipient the password - they will contact you asking for it, often through an insecure channel. Share it proactively.
- Not setting an expiry - password-protected links that live forever are still a liability. Set an expiry date.
- Assuming the lock icon means E2E - many services show a lock icon for server-side passwords. Check whether the encryption is client-side or server-side.
The Bottom Line
If the file is not sensitive, a server-side password is fine. If the file contains anything you would not want a stranger reading, use E2E encryption. EasySend makes both options available with no account required. Toggle encryption on, choose a strong password and your files are protected by AES-256-GCM before they ever leave your browser.
For a deeper dive into the cryptography behind this, see how EasySend's encryption works. For general privacy practices, read the policy. It takes about two minutes.
Password Protect Your FilesRelated Guides
- Secure File Sharing on EasySend - full guide to encrypted sharing
- How End-to-End Encryption Works - visual breakdown of AES-256-GCM
- Security Glossary - PBKDF2, AES, E2E and zero-knowledge defined
- EasySend Privacy Policy - data handling practices
- Why Zero-Knowledge Encryption Matters - deep dive into the architecture