PDF password protection
Adobe Systems added the ability to protect PDF files with a password.
Password Protection of PDF Files
Password protection & Adobe PDF documents
PDF documents were first developed during the early 1990s as a means of sharing documents among users who had heterogeneous platforms and did not necessarily have the accessibility to mutually consistent application software amongst themselves.
The first edition of the PDF format, 1.0, was released in 1993 by Adobe without any protection or document security features. Since then Adobe have added additional PDF security features such as encryption and digital signatures to the PDF format so that users can password protect PDF files against unauthorized use and add restrictions to prevent editing and printing of content.
The use of passwords for PDF protection is at best, questionable. If you password protect a PDF with an owner password (required to open the document) then you need to give this to those you wish to share the document with. This therefore requires both password management and separate distribution (since sending a password with the password protected PDF is clearly not secure). And if you have applied any restrictions to the PDF then these can be easily removed with free PDF Password Recovery programs.
A History of PDF Versions & Security Features
1.1 - 1996
1.3 - 1999
Digital Signatures & RC4 encryption
Adobe Systems introduced digital signatures and 40-bit RC4 encryption. From this point on, PDF files began to get encrypted for security purposes and digitally signed for authentication by business users and those who needed an added level of protection when distributing PDF documents. During this stage, there was no other means of access control mechanism for PDF documents and hence passwords became extremely common across the world and were used by a majority of users, simply because there was nothing else available at the time.
1.4 - 2001
128-bit RC4 encryption supported
Adobe adds 128‑bit RC4 encryption for PDF Password protection.
1.5 - 2003
Usage right signatures and digital certificates
Adobe added the ability for sections of content to be hidden in a PDF document and usage right signatures to validate that permissions had been granted by a bona fide authority. Adobe Reader verifies that the signature uses a certificate from an Adobe-authorized certificate authority.
1.6 - 2005
128‑bit AES encryption supported
Adobe adds 128‑bit AES encryption in Adobe Acrobat 7.0 & Adobe Reader 7.0.
1.7 - 2006
Password checking security weakness
Adobe changes password checking method in Acrobat 8 to speed up password authentication. This introduced a serious security weakness that PDF Password removal software took advantage of to remove PDF owner passwords 100 times faster than before.
2008
Adobe Extension level 3
Adobe handed over the PDF standard to the ISO organization which meant they could no longer release new versions of the file format. Instead they added custom features to PDF that only their own software supports. In 2008 they added AES 256 bit encryption. Other PDF creation companies followed suit.
2.0 - 2017
AES 256 bit encryption supported
Version 2.0 defines 256-bit AES encryption as standard.
 |
Types of PDF Password |
The basic level of security provided by Acrobat PDF consists of two differing measures and two password controls – one being the use of a password which enciphers the file and forbids the opening of the document (owner password), and another password (permissions password) which determines operations that should be restricted even when the document is decrypted. This could include various processes such as printing the document, copying the text or the content from the document, duplicating graphics from the document, modifying the content of the document or adding or deleting notes and text within the AcroForm fields.
 |
Is PDF password protection secure? |
Most people are of the opinion that PDF password protection helps to keep their PDF data secure and safe. However, this is not entirely true. Although passwords have been the most common form of security by which users prove their identity to a PDF file, it has also been the most vulnerable. Experts recommend that PDF password protection should not be widely used, especially to safeguard confidential information.
Since protecting PDF files with passwords is not much better than not doing so, why is PDF password protection so widely used? One of the main reasons why password-based authentication of PDF files has become so common is not because of the security that it offers but because of the ease of use, low cost, simplicity and practicality. Almost every PDF creation application has PDF password protection functionality built-in, and that provides a quick and easy security option for users.
So how secure are password protected PDFs?
There are a number of aspects that determine how safe such “PDF password protected” files really are.
- Most PDF passwords used are weak, and once one person knows the password to open the document they can share it with others. The document restrictions can then be easily removed. Studies reveal that users often make a note of their passwords and place them in visible locations while some others build extremely weak passwords based on simple dictionary words or personal data, which can be easily deduced by people who know enough about them. A weak password is the weakest link in a password based PDF security system.
- Protecting PDF documents with the help of passwords has been easily exploited by hackers because most users are ignorant of the kind of passwords that they should use to secure PDF documents. A majority of users secure their PDF documents with short and easy to crack passwords, since it is easier to remember shorter words rather than long-drawn, complex and difficult-to-remember characters. Using short passwords was considered to be an important business etiquette (ease of use), simply because doing so allowed the recipient to easily open the document, rather than concentrating on a realistically secure password as a defence mechanism. It is also widely acknowledged that most users reuse old passwords.
- The fact that confidential data in a PDF document hinges on the secrecy of a single password, is in itself a dangerous notion. A PDF file that is dependent on password-based authentication relies on a single word for security; this in itself is a significant vulnerability. If an authorized user is given the password to open the PDF document then there is nothing preventing him/her from sharing the password with others – so security here is really a matter of trust. If an unauthorised user gains knowledge of the password or uses password cracking tools to break the PDF password security, they can gain easy access to the PDF file contents. An attacker who gains knowledge of the password can completely compromise the security of the PDF file, removing the security and making it available to others without the need to enter a password (or the password could just as easily be published along with the file).
- And then of course there is the permissions password that controls what users can do with a PDF that they have opened. Even if you use a strong password to restrict usage, it is completely useless. Not only will freely available password recovery tools remove it in seconds due to insecure (and well published) security mechanisms in the PDF security handler, but a large number of open source PDF readers routinely ignore the permission protections and permit the use to freely print or make a copy of the content present in the document, as if the document was not protected by passwords, in the first place.
PDF password protection is therefore not a secure form of protection for sensitive information that must be tightly controlled.
 |
Is PDF Password Protection right for my business? |
When deciding whether PDF Password Protection is right for your business, consider the following points:
- Is the information inside your PDF files of any specific value?
- If the information is confidential and meant for internal use only, how can you prevent authorized users sharing it with others?
- If you trust authorized users not to share the PDF and password with others, is the password kept securely?
- How do you intend to control use of your PDF files once they leave your organisation (i.e. the need to share with third parties)?
- If you sell PDF documents then how can you prevent your PDFs being redistributed without your knowledge?
- Is users are allowed to password protect PDFs do you have a strong password policy in place that can be enforced?
- How do you intend to manage password administration and distribution?
You may find that PDF password protection is probably only right for your business if the information inside your PDF files is not of any specific value. This is because:
- You cannot prevent users sharing passwords with others and that is the only security backing up the system.
- The password only provides protection if you are sending a protected PDF file to a known recipient who would not want to disclose the PDF contents to anyone else.
- Restrictions imposed on a PDF document (preventing printing, editing, etc.) can be easily removed by password cracking tools so it is important to remember this if you are relying on this ‘security’ to protect your PDF documents against misuse.
 |
What are the alternatives to PDF password protection? |
If you want actual security for your PDF documents then choose a system that does not rely on passwords for its security.
Locklizard provides PDF security software that protects PDF documents without passwords (we use transparent public key technology so that keys are never exposed to users), and enforces their use wherever they reside.
We automatically lock PDF files to authorized devices so they cannot be shared (and locations too if you want stronger security), and prevent printing, stop screen grabbing, watermark content with dynamic watermarks (user details, date/time stamp, etc), and enable the document owner to expire and revoke content at any time.
We use our own PDF Viewer software rather than plugins to native appliations so that your PDF files cannot be compromised by known (and unknown) security weaknesses. Read our DRM technology to see why Locklizard is superior to PDF password protection and how we protect your PDF files not matter where they reside.