pdf password protection

Password Protecting PDF Files

How to get PDF password protection to work

Using passwords to protect PDF files

Password protecting PDFs

Here we cover the use of a password to protect the opening of a PDF document rather than a permissions password (which can be easily removed) – see How to remove password protection from PDF files.

If you want to go down the route of applying password protection to PDF documents (in order to share them securely with others), then you need to consider the following points before you start:

What is the minimum length for a PDF password to be effective?
Are there any ‘rules’ for making passwords?
Do I put passwords into PDF documents manually or can it be automated?
How do I know which password went on which file?
How do I re-issue a password to a user when it has been lost/stolen/strayed?
Can I stop people swapping passwords?

So first things first – we need to know how long/complicated we need to make the password if it’s going to prove of any value in protecting your PDF file.

An interesting web article on this can be found at Password security and a comparison of Password Generators.

It starts off by telling you that an 8 character password (a-z, A-Z, 0-9) takes about 13 minutes to crack (guaranteed result by brute force alone), and a 10 character one around 500 hours. So a password has to be longer than 8 characters if it to be realistic with today’s technology. Pass phrases (a series of words rather than characters) are no more and no less secure than anything else, but they might be easier for the recipient to type in, so that is a plus. Do remember that the recipient has got to type it in (or copy and paste from their preferred password vault).

Also, if you have a ‘strong’ password (more than 10 characters), changing it regularly hardly increases its security – adding another character does – but if it is already ‘strong’ then you create more user chaos by changing it than leaving it alone – because the recipient just has more passwords to cope with.

So far we have addressed the first two bullet points. You can make strong passwords, and if you do then you should stick with them and not change regularly.

Password Generator Programs

Common password generators such as SecureSafe Pro Password Generator follow a strategy of you setting a master password and then they create ‘derivative’ passwords that will remain constant for that master password – this might be very handy if you have a fixed group of recipients. It means that you don’t need to store all the passwords you have created and sent out. Enter the same master password (maybe the recipient’s name or email) and you get the same list of derivative passwords. Otherwise, every time you generate a new password you need to store it and the recipient’s identity somewhere so you can recover it (or if someone loses a password and you have to create a new version of the password protected document for them and remember what you were doing). This works OK for small groups that don’t change.

Other approaches, such as that from SecureSafe Pro Password Manager let you do a lot of configuring and then generate a batch of as many passwords as you could want. This approach is handy if you want to just pick up the next password in the set. But there is no management built in. You just get a list of strong passwords.

Actually transferring passwords into PDF documents can be automated, but you would need to build your own engine to do this. It would need a Systems Developer Kit (SDK) to allow you to manipulate the PDF document. There are many SDK’s out there, and the licensing can be a bit complicated as to how many toolkits you can install and how many documents you can process. An example of a royalty free SDK that can secure, sign and protect PDF comes from Debenu.

Password Administration

So the administration of passwords is starting to get a bit complicated? And none of the common tools we have looked at appear to have a method of distributing the passwords once they have been generated. And distributing means getting them into the PDF document as well as getting them to the recipient of the protected pdf document so they can open it when it arrives.

This gets us to the question of what happens when a user ‘loses’ or forgets a password to a document. Do you send something completely new or do you lookup somewhere what you used last time and re-create the document, or do you rely on your email history to find what you originally sent them and send that again. The opportunities are endless, as is the amount of manual work created when coping with these problems. So far we have not seen an organized PDF password management system.

Can you stop people swapping passwords? No. Rather like digital signatures, if giving them away does not stop people using the documents then who cares. It needs a measure of inconvenience such as a watermark that identifies the authorised user, or a control that stops more than one person at a time from using a document, to persuade people not to give away passwords. Also, allowing users to redefine the security controls based on passwords is basically unsound. If any outside user can change the security controls then it does not take much to create documents that are not controlled.

Maybe it is symptomatic, but there are far more password remover applications than password generator applications.

So you can make PDF password protection work for small groups if you trust the users NOT to share the documents and passwords with others, but making it manageable, efficient and scalable is not easy.

Choosing a strong password to protect PDF files

If you are going to use passwords to protect PDF documents then there are a few things that you need to keep in mind.

Don’t choose short passwords
Current technology cracking tools use a technique called brute force – they start with a password that is a blank field, add 1 bit and try that. If it fails they add another bit and try again until they find it. Which is guaranteed! So the shorter the password the quicker the cracker gets there.
Don’t pick obvious words as passwords
Words such as password, master, boss, or even single dictionary words. If you want to share PDF files securely then using obvious passwords is not going to provide much protection.
There are tools available on the Internet, such as those from Elcomsoft that contain what are called dictionary attacks. Basically they have a massive dictionary of popular and common passwords, and they will try all of them to see if any work. The process takes maybe a few minutes to run through thousands of these. Typical passwords NOT to use include: 123456, 123456789, password,. admin, 12345678, qwerty, 1234567, 111111, photoshop, 123123, 1234567890, 000000, abc123, 1234, adobe1, macromedia, azerty, iloveyou, aaaaaa, 654321, fred. If the common passwords fail they switch to using words from dictionaries, often in several different languages.
Think about how the passwords will be used
At the other end of the process you have an end user who has to enter the password. So you can’t use characters that do not display on screen or are hard to find on a keyboard. You don’t want a situation where recipients can only get the passwords in by copy and paste (and maybe not then if the characters don’t display properly). That makes a system unusable.
Can the user remember them easily?
Although people are good at remembering things – phone numbers, post codes, they do not remember 15 random characters very easily. And especially if they have more than one password to remember. Lots of PC’s and tablets are getting better at remembering passwords for you, but that also creates a point of weakness if all the passwords are in the one place. There is then only one place to crack.
Using two normal words separated by a special character can work well and can be remembered. Try such things as enable*freeze or money$strength for instance. They are long and a cracker cannot assume they are related words, or what length they might be.
Can you recover a lost password?
Many systems recognize that passwords get forgotten or lost. And you need some way of checking that the person requesting a replacement password actually is who they claim. Many systems set up test questions and ‘secret’ answers, and ask the claimant for a series of characters from a selection of the questions before either resetting or disclosing the password. This can get a bit complicated and means everyone needs to keep more and more password information, so that can be a problem.
What you never do
Never ever ever tell any machine that is not your own to ‘Remember Me.’ It doesn’t matter how well you know the owner, and certainly not in a public machine (like an Internet café or a conference workstation). There’s not a lot of point going to the trouble of creating a security system and then handing the keys to anyone on the planet!

Is PDF Password protection right for my business?

As one of the earliest methods of protecting PDF documents, the use of passwords has been in existence for decades. However, using PDF passwords to control document usage has exponentially gained bad press over the years, because of the disappointing ways in which document creators choose and maintain their passwords and how security has waned with regards to password protection as a poor security mechanism.

In spite of technological advancement and decades of computer usage, security experts are still finding it difficult to educate people on how to create strong passwords to protect their documents. Two of the most popular passwords that are still prevalent in most companies are ‘123456’ and ‘password’. Most users opt for convenience over security when it comes to choosing passwords for protecting PDF files.

In addition, managing numerous passwords for large quantities of PDF files can become a nightmare. When numerous passwords are used, creating a system to store those passwords can be a huge burden. To prevent costly management overheads, some companies employ a standard password to be used for all files, which is a huge security weakness. If passwords are used for securing data in PDF documents, then it is important to continuously keep changing those passwords and to use different passwords for every file. And this growing list of PDF passwords needs to be maintained and stored securely – one of the highest priorities of securing classified documents is in protecting the entryway – that is the password protecting the document.

In a number of cases, password protected PDF documents have been compromised due to the unintentional involvement of the document user – they might not be aware of the importance of maintaining strong passwords or storing them in a proper manner, which is an important task that they need to perform.

But protecting PDF files with passwords has other weaknesses. If you type the keywords ‘Password protect PDF’ online, you will find hundreds of PDF password applications freely available for use. But amongst those are the most popular PDF password cracking programs or PDF password removal programs which can easily remove the password and unlock the PDF, irrespective of whether the document has been encrypted with a strong algorithm and key length. Unauthorized users can then use a copy of the original PDF without any passwords or security settings in place.

The use of passwords to securely protect PDF files is clearly not the way forward.

Secure alternatives to PDF Password Security

Some things to consider when protecting PDF files.

Don’t choose a system that uses passwords
A system that relies on a user entering a password is insecure. If you use a password based sytem check that there are no published cracks and the implentation is secure – i.e. Adobe 8 was less 100 times less secure than previous versions due to how the password checking mechanism was implemented.
Don’t choose a system that uses plugins
Plugins are vulnerable to the systems they plug in to and are inherently insecure and troublesome – see PDF Security plug-in vulnerabilities .
Don’t choose a system that uses EXE files
These need Windows Admin rights to run and you have no control over what the EXE is doing. These can also be easily compromised and shared.
Should I use a PDF Reader Browser based solution?
With browser based PDF viewers there is no software installed on the client device. You therefore cannot prevent screen grabbing, stop printing to file drivers (i.e. PDF) if printing is allowed, etc. Also some less common browsers can ignore the security restrictions you have added.
Can you lock PDFs to devices?
It is important to use a system that locks PDF files to individual devices so that protected documents cannot be easily shared. Additional security controls you might also want to consider are locking PDFs to IPs and country locations.
What PDF restrictions do I need?
Do you need to stop users printing PDFs, stop screen grabbing of content, prevent copy and paste, expire PDFs after a number of days use or on a certain date, watermark content and have the ability to revoke access at any stage? These are all important items to consider when choosing a PDF Security solution for your business.

Customer Testimonials

We needed to deliver e-book versions of our handbooks while not compromising on security and digital rights. Safeguard PDF security is easy to use and intuitive.

The implementation was painless and we now have a greener, more secure way of distributing training manuals.
Locklizard’s PDF protection is exactly as described – the features are highly effective and I would give it 5 stars.

I would recommend Locklizard to others - their security is simple to use and fit for purpose. It meets common needs of businesses who have information they want to protect.
We would be happy to recommend Locklizard to any company needing a flexible way to secure PDF files.

Safeguard PDF Security has provided us with a very workable solution for sharing of information in a secure fashion. The support has been excellent and very accommodating.
We can cut accounts for a user five minutes before his class starts and he is ready to go. Happy smiling customer, while we still have security and personalized watermarking.

I have immense respect for the product and Locklizard provide great customer satisfaction and service.
We would recommend Safeguard to other companies for its security, cost and ease of use. It does what we expected it to do and more.

Ease of use is a bonus and the implementation was very easy. The product manual is excellent and Locklizard staff are very accommodating.
We sell a highly valued educational product in an open and competitive market so it was important to ensure we had effective security to protect our digital rights.

We highly recommend Locklizard - a professional company with a competitive and professional PDF Security product.
We would absolutely recommend both Locklizard as a company, and Safeguard PDF Security. It has transformed our study materials to the next level.

Not only did this increase sales, but we also believe that it has increased our customers’ ability to learn, which is even more important!
We would recommend Locklizard Safeguard to other companies that need to protect PDF reports. Customers have found the process of accessing the protected documents to be seamless.

Implementation was easy and technical support has been very responsive to requests for help.
Our company would without reservation recommend Locklizard. Their document DRM software opens up delivery of our new products in a timely fashion while knowing that the content will remain secure.

The return on investment to our company has been immediately evident.
We use Safeguard to make sure that documents cannot be opened outside our local network or from a unauthorized computer in order to copy or print the documents.

It is the most feature rich, affordable, & simple to use PDF security product on the market.
Safeguard PDF Security is simple to administer and meets our needs, consistently delivering secured manuals to our customers with ease.

Return on investment has been elimination of many man hours, printing resources and postage – it is estimated that costs decreased by 50% or more.
We would really recommend Safeguard PDF Security to every publishing company for managing ePubs or e-books securely. It is easy to secure PDF files and simple to distribute them to our authorized customers only.

Locklizard also provides a good customer support experience.
The ROI for us is incalculable. We have the security of knowing that our proprietary documents are secure. This is the entire value of our company.

I would most certainly recommend your PDF security product and already have. The ease of implementation was surprising.
We can now sell our manuals without the need to print them first, saving time, money and helping safeguard the environment.

We would recommend Safeguard PDF DRM – it is the perfect solution to sell and send e-documents securely whilst making sure someone cannot copy them.
We would recommend Locklizard to other companies without hesitation.

Their PDF DRM products provide a manageable, cost effective way to protect intellectual investment and they are always looking for ways to improve them. Moreover, their staff provide an excellent level of support.

Try Safeguard today

Start protecting your PDF files and documents from sharing & piracy

PRICING

Purchase & Pricing
Instant Quote

RESOURCES

FAQs
Locklizard Blog
Knowledgebase
Security Guides
White Papers
Viewer Demo
Videos

DOWNLOADS

Secure Viewers

Writers
Product Manuals
FREE Trial

ABOUT US

About Us

Our DRM Technology

What is DRM?

Customers

Locklizard vs Competitors

Secure Data Rooms

Company Brochure

CONTACT

sales@locklizard.com
support@locklizard.com

Business Hours:
Mon – Fri: 8AM to 5PM EST
Tel (US): +1 800 707 4492
Tel (UK): +44 (0)1292 430290

	PDF Password Protection
	Password Protecting PDFs
	History of PDF Passwords
	Using Passwords to Protect PDF files
	How to Password Protect PDFs
	Remove PDF Password Protection
	Cracking Password Protected PDFs
	Protect PDFs without Passwords
	PDF Security Issues