pdf password protection

PDF Password Security

Password Protection of PDF Files: Are PDF passwords secure?

Password protection & Adobe PDF documents: History

PDF documents were first developed during the early 1990s as a means of sharing documents among users who had heterogeneous platforms and did not necessarily have the accessibility to mutually consistent application software amongst themselves.

The first edition of the PDF format, 1.0, was released in 1993 by Adobe without any protection or document security features.  Since then Adobe have added additional PDF security features such as encryption and digital signatures to the PDF format so that users can password protect PDF files against unauthorized use and add restrictions to prevent editing and printing of content.

  Free 15 Day Trial

Protect PDFs without Passwords

  • Stop unauthorized access and sharing
  • Control use – stop copying, editing, printing, etc.
  • Lock PDFs to devices, countries, locations
  • User and PDF expiry, revoke files at any time

The use of passwords for PDF protection is at best, questionable.  If you password protect a PDF with an owner password (required to open the document) then you need to give this to those you wish to share the document with.  This therefore requires both password management and separate distribution (since sending a password with the password protected PDF is clearly not secure).  And if you have applied any restrictions to the PDF then these can be easily removed with free PDF Password Recovery programs.

A History of PDF Password Security : Protection and encryption functions

  • 1.1 - 1996

    PDF password protection

    Adobe Systems added the ability to protect PDF files with a password.

  • 1.3 - 1999

    Digital Signatures & RC4 encryption

    Adobe Systems introduced digital signatures and 40-bit RC4 encryption.  From this point on, PDF files began to get encrypted for security purposes and digitally signed for authentication by business users and those who needed an added level of protection when distributing PDF documents.  During this stage, there was no other means of access control mechanism for PDF documents and hence passwords became extremely common across the world and were used by a majority of users, simply because there was nothing else available at the time.

  • 1.4 - 2001

    128-bit RC4 encryption supported

    Adobe adds 128‑bit RC4 encryption for PDF Password protection.

  • 1.5 - 2003

    Usage right signatures and digital certificates

    Adobe added the ability for sections of content to be hidden in a PDF document and usage right signatures to validate that permissions had been granted by a bona fide authority.  Adobe Reader verifies that the signature uses a certificate from an Adobe-authorized certificate authority.

  • 1.6 - 2005

    128‑bit AES encryption supported

    Adobe adds 128‑bit AES encryption in Adobe Acrobat 7.0 & Adobe Reader 7.0.

  • 1.7 - 2006

    Password checking security weakness

    Adobe changes password checking method in Acrobat 8 to speed up password authentication.  This introduced a serious security weakness that PDF Password removal software took advantage of to remove PDF owner passwords 100 times faster than before.

  • 2008

    Adobe Extension level 3

    Adobe handed over the PDF standard to the ISO organization which meant they could no longer release new versions of the file format.  Instead they added custom features to PDF that only their own software supports.  In 2008 they added AES encryption.  Other PDF creation companies followed suit.

  • 2.0 - 2017

    AES encryption supported

    Version 2.0 defines 256-bit AES encryption as standard.

Types of PDF Password

The basic level of security provided by Acrobat PDF consists of two differing measures and two password controls – one being the use of a password which enciphers the file (encrypts the PDF) and forbids the opening of the document (owner password), and another password (permissions password) which determines operations that should be restricted even when the document is decrypted.  This could include various processes such as printing the document, copying the text or the content from the document, duplicating graphics from the document, modifying the content of the document or adding or deleting notes and text within the AcroForm fields.

  • The owner password

    This is used for authorizing the opening of the file as well as encrypting the PDF.  If this password needs to be broken (for example the owner has lost it), it requires password cracking utilities to do so.  The difficulty of the job depends on the strength of the password (its length and makeup) and the method of encryption (smaller key sizes for example can be broken more easily than larger ones, and the encryption algorithm used also makes a difference).  The owner password can be made highly secure, provided that a strong password is employed and the method of encryption is robust, without previously known attacks.

  • The permissions password

    This controls the document operations (how the PDF content can be used).  It is not used in encrypting the PDF, but instead relies on the software of the client to adhere to these restrictions, which makes it an insecure option.  Permissions passwords can therefore be easily be removed by the large number of PDF cracking software, freely available on the net.

Is PDF password protection a secure method to protect PDF files?

Most people are of the opinion that PDF password protection helps to keep their PDF data secure and safe.  However, this is not entirely true.  Although passwords have been the most common form of security by which users prove their identity to a PDF file, it has also been the most vulnerable.  Experts recommend that PDF password protection should not be widely used, especially to safeguard confidential information.

Since protecting PDF files with passwords is not much better than not doing so, why is PDF password protection so widely used?  One of the main reasons why password-based authentication of PDF files has become so common is not because of the security that it offers but because of the ease of use, low cost, simplicity and practicality.  Almost every PDF creation application has PDF password protection functionality built-in, and that provides a quick and easy security option for users.

So how secure are password protected PDFs?

There are a number of aspects that determine how safe such “PDF password protected” files really are.

  1. Most PDF passwords used are weak, and once one person knows the password to open the document they can share it with others.  The document restrictions can then be easily removed.  Studies reveal that users often make a note of their passwords and place them in visible locations while some others build extremely weak passwords based on simple dictionary words or personal data, which can be easily deduced by people who know enough about them.  A weak password is the weakest link in a password based PDF security system.
  2. Protecting PDF documents with the help of passwords has been easily exploited by hackers because most users are ignorant of the kind of passwords that they should use to secure PDF documents.  A majority of users secure their PDF documents with short and easy to crack passwords, since it is easier to remember shorter words rather than long-drawn, complex and difficult-to-remember characters.  Using short passwords was considered to be an important business etiquette (ease of use), simply because doing so allowed the recipient to easily open the document, rather than concentrating on a realistically secure password as a defence mechanism.  It is also widely acknowledged that most users reuse old passwords.
  3. The fact that confidential data in a PDF document hinges on the secrecy of a single password, is in itself a dangerous notion.  A PDF file that is dependent on password-based authentication relies on a single word for security; this in itself is a significant vulnerability.  If an authorized user is given the password to open the PDF document then there is nothing preventing him/her from sharing the password with others – so security here is really a matter of trust.  If an unauthorised user gains knowledge of the password or uses password cracking tools to break the PDF password security, they can gain easy access to the PDF file contents.  An attacker who gains knowledge of the password can completely compromise the security of the PDF file, removing the security and making it available to others without the need to enter a password (or the password could just as easily be published along with the file).
  4. And then of course there is the permissions password that controls what users can do with a PDF that they have opened.  Even if you use a strong password to restrict usage, it is completely useless.  Not only will freely available password recovery tools remove it in seconds due to insecure (and well published) security mechanisms in the PDF security handler, but a large number of open source PDF readers routinely ignore the permission protections and permit the use to freely print or make a copy of the content present in the document, as if the document was not protected by passwords, in the first place.

PDF password protection is therefore not a secure form of protection for sensitive information that must be tightly controlled.

Is PDF password protection right for my business?

When deciding whether PDF Password Protection is right for your business, consider the following points:

  • Is the information inside your PDF files of any specific value?
  • If the information is confidential and meant for internal use only, how can you prevent authorized users sharing it with others?
  • If you trust authorized users not to share the PDF and password with others, is the password kept securely?
  • How do you intend to control use of your PDF files once they leave your organisation (i.e. the need to share with third parties)?
  • If you sell PDF documents then how can you prevent your PDFs being redistributed without your knowledge?
  • If users are allowed to password protect PDFs do you have a strong password policy in place that can be enforced?
  • How do you intend to manage password administration and distribution?

You may find that PDF password protection is probably only right for your business if the information inside your PDF files is not of any specific value.  This is because:

  1. You cannot prevent users sharing passwords with others and that is the only security backing up the system.
  2. The password only provides protection if you are sending a protected PDF file to a known recipient who would not want to disclose the PDF contents to anyone else.
  3. Restrictions imposed on a PDF document (preventing printing, editing, etc.) can be easily removed by password cracking tools so it is important to remember this if you are relying on this ‘security’ to protect your PDF documents against misuse.

Alternatives to PDF password protection: How can I protect PDF files securely?

If you want actual security for your PDF documents then choose a PDF security system that does not rely on passwords for its security.

Locklizard provides PDF security software that protects PDF documents without passwords (we use transparent public key technology so that keys are never exposed to users), and enforces their use wherever they reside.

We automatically lock PDF files to authorized devices so they cannot be shared (and locations too if you want stronger security), and prevent printing, stop screen grabbing, disable copy and paste, watermark content with dynamic watermarks (user details, date/time stamp, etc), and enable the document owner to expire and revoke content at any time.

We use our own PDF Viewer software rather than plugins to native appliations so that your PDF files cannot be compromised by known (and unknown) security weaknesses.  Read our DRM technology to see why Locklizard is superior to PDF password protection and how we protect PDF files not matter where they reside.

Customer Testimonials