During a pentest, you retrieve a USB key from a box of discarded hardware that was just sitting by a number of other items. You check the key for files and it turns out to have a number of .pdf documents that could have sensitive information. If this information were to get leaked it would be a great risk to your client. In your report you point this out but the customer doesn't see the problem as all of the documents were password protected.
Why isn't this enough to prevent the information leakage?
A) Without knowing the original user of the file the information could be inaccurate or not relevant, however, if something thinks it is they would still try to use it during a social engineering attack.
B) Many tools that are easy to obtain can brute force the passwords. It is also common for documents of this nature to use easy to remember dictionary words that are also often the same for many files.
C) Since the password must always be stored in the file itself, it is fairly easy to use a common hex editor to analyze the file and extract the credentials
D) The passwords are usually stored using a very strong encryption, but notepad will usually open the files in clear text anyway

Question

Quizplus · Accepted Answer

The password must be stored in the file, but a strong key can be generated from it to protect the data from being visible to alternative readers. It is possible however, to brute force the file and tools such as those from "Elcomsoft" make short work of most file formats.

During a Pentest, You Retrieve a USB Key from a Box