Why PDF password protection is useless. How to add, bypass and remove PDF passwords.
Using passwords to protect revenue generating or confidential and sensitive business documents is a bad idea since they can be given away.
Introduction to PDF password protection
When PDFs were developed in the 1990s, the priority wasn’t security – it was on making the document format as shareable as possible. As such, on its release in 1993, the Adobe PDF format didn’t ship with any form of PDF protection. It wasn’t until 1996 that Adobe released a version that included passwords, and a few years later digital signatures and RC4 encryption.
The password and encryption combination became immediately popular, and understandably so; it was all businesses had at the time. Just four years later however it was cracked by a Russian security engineer working for Elcomsoft. For better or for worse, the security mechanism has persisted since. Though Adobe has updated its encryption algorithms and key lengths several times, fundamental flaws exist in its password-based implementation. This security weakness is taken advantage of by Elcomsoft’s PDF password removal software among others.
Today we’ll be demonstrating these security flaws by showing how to create and open a password-protected PDF, as well as how to print it. We’ll then propose an alternate stronger solution to passwords that will better protect your PDF documents.
How to password protect a PDF with Adobe Acrobat
There are dozens of freely available tools available to password protect a PDF, but the most commonly used is Adobe Acrobat. Though all work on more or less the same principles, Adobe Acrobat’s prevalence in the enterprise has made it the tool of choice for many.
As we mentioned earlier and will soon demonstrate, the security provided by Acrobat and other PDF Editors is greatly flawed and can be trivially removed. If you insist on using it, though, here’s how:
- Open your PDF in Acrobat and press the “Protect” button in the sidebar.
- Click “Protect Using Password” in the top bar.
- Select “Viewing” or “Editing” and enter a secure password.
Protecting a PDF with a password using Adobe Acrobat
To avoid brute force attacks, you should use a strong password to protect PDF files – your password should be long, contain numbers and symbols and avoid words, phrases, names, and dates. As we’ll soon demonstrate, this won’t stop it from being removed, but it will eliminate one avenue of attack.
Once you’re happy with your password, click “Apply”.
How to open a password-protected PDF
Let’s start by showing how you can open a password-protected PDF that has a viewing password applied. The easiest way, naturally, is to enter the password, provided you know it.
If you don’t, however, it’s still possible to open the PDF. With a PDF viewer or “open” password, you’ll have to perform a more complex brute force, key search, or dictionary attack on the password. For this, you can use one of the many free applications, or a more advanced application like Elcomsoft. We’ll be using the free trial of Elcomsoft for this demonstration:
- Open your PDF file with Elcomsoft by pressing the “Open” button.
- Enter your password or press “Start recovery”.
- Wait for Elcomsoft to recover your password.
The method Elcomsoft uses will depend on the version of your PDF and the strength of its encryption. If it’s a strongly encrypted document, it will probably use a brute force attack, which might take a while to complete if the password is strong. Older PDFs should only take a few seconds due to their vulnerabilities. You can select the the options you want to apply.
- Save your password from the “Password successfully recovered!” dialog or decrypt the file.
If Elcomsoft did not successfully find the document’s password, it’s probably a bit more complex. You should adjust parameters in the main window until you get the desired result, changing the minimum and maximum password length, trying dictionary attacks, and more.
How to remove password protection from a PDF
If you already know the open password or your PDF is using only a “permissions” or “owner” password to prevent editing and printing, it’s very easy to strip the document of any protection. There are many freely available online PDF password removal tools available that do this for you – just Google ‘PDF Password Remover’. All you have to do is upload your protected PDF and press a button to unlock the PDF and remove the permissions.
Here are some other easy ways to remove protection from a PDF or unlock a password protected PDF file.
Removing password protection from a PDF using a Google account
Using this method enables you to convert a protected PDF to Word and then optionally back to an uprotected PDF.
- Open your Google Drive settings and check the box “Convert uploaded files to Google Docs editor format”.
Access the settings menu via the cog in the top-right corner.
- Select “New > File upload” and upload your PDF to Google Drive.
- Right-click the file and select “Open with > Google Docs”.
- Select “File > Download > Microsoft Word”.
- Edit in Microsoft Word and print the contents to a PDF (if desired).
This is just one of the many methods you can use to unlock a password-protected PDF for editing. Below, for example, we’ll show you an extremely easy way to print a password-protected PDF.
How to print a password protected PDF
If your PDF does not allow you to print because it’s password protected with an “editing” or “owner” password, you can easily circumvent this by simply opening it in Chrome and printing it to a new PDF.
- Right-click your PDF and select “Open with > Google Chrome”.
- Press the print icon and select “Microsoft Print to PDF” or “Save as PDF” from the list.
- Press “Print” and save your unprotected PDF.
- Open and print your PDF as many times as you like.
You can now print as many paper or digital copies from this unprotected version, editing it or making other changes if you wish.
The problems with password protecting a PDF
We’ve focused a lot on Adobe Acrobat today, but the truth is that these security flaws exist in all PDF password-based encryption tools. The fact of the matter is that as long as there’s an open password, it can be brute-forced, or if known, shared or removed. The “Editing” or “Permissions” passwords can be removed even easier – making preventing printing or editing via this method basically impossible. Further, passwords quickly become cumbersome at scale, requiring significant effort to remember or maintain across hundreds of documents – and that’s assuming you have a method of distributing them securely.
Fundamentally however, even if it was not possible to remove the open password, then once a single user has been given the password they can share it with as many other users as they wish – or just remove it since they now have full control over the document.
The better choice, then, is not to move to another password-based tool to protect PDF documents, but to look to securer solutions that forgo them entirely.
How to protect a PDF without passwords using Locklizard
Locklizard enables you to protect PDF files without passwords by combining 256-bit AES encryption, a secure viewer application, and a licensing system with transparent and secure key management. Here’s how it works:
- You encrypt a PDF on your local PC and add any DRM controls you want to enforce.
- Protected PDF documents are saved to your disk and a document record is created on the Admin System.
- You create a user account for each user you want to view protected PDF files.
- An email is automatically sent to the user with a link to the Viewer and their license file.
- Once the Viewer is installed and the license file activated (clicked-on) it is registered to that device and cannot be registered elsewhere (unless otherwise specified).
- You control from the Admin System which protected PDF files each user can access.
- You distribute your protected PDFs just like any other file (email, web site etc.).
- Protected PDF files can only be opened by someone who has been authorized for that document. Depending on your DRM controls, they also cannot be printed, edited, copied, screen grabbed, or shared. You can also automatically expire documents based on their age, number of opens or prints, and instantly revoke access.
Here’s the process to protect a PDF document without passwords using Safeguard Secure PDF Writer
- Right-click on a PDF report on your computer and select ‘Make Secure PDF’.
Creating a protected PDF file
- Select the copy protection controls you want to apply. By default, editing, copying, and printing are disabled.
Encrypting a PDF without passwords or certificates using Locklizard Safeguard PDF DRM
- Press the Publish button to protect the PDF.
- Select the users you want to give access to your protected PDF files using the cloud-based Admin System:
Safeguard Admin System
- Then distribute your protected PDF documents just like any other file.
Locklizard PDF DRM software: protect PDF files without passwords
Locklizard enables you to protect PDF documents from being copied, altered, stolen or compromised by using encryption and DRM controls to prevent unauthorized access and control how documents can be used. Locklizard PDF DRM protects PDF files without passwords and enables you to sell and share documents securely without fear of them being accessed by unauthorized users or misused by authorized ones.
- Restrict PDF editing
- Stop copying and disable copy/paste
- Disable PDF printing or limit prints
- Prevent screenshots by blocking screen grabbing software
- Expire PDF files on a set date or after a number of days, opens or prints
- Lock PDF files to devices and locations
- Prevent saving to unprotected formats
- Add dynamic watermarks that identify users and are permanent
- Track PDF opens and prints
- Revoke access instantly
With no password to brute force and no route to bypass the protection of the secure viewer application (third-party plugins are not allowed), security is maintained. But as well as protecting your document initially, Locklizard ensures you have the tools to react to future issues. What if an employee loses a laptop with their protected documents on it, or a particular outside shareholder has a genuine reason for printing a locked document? If you applied password protection, it’s out of your hands. Once the document is out there, there’s no making changes to its protection.
With Locklizard, you can make changes to your document’s protection at any point through the Safeguard Administration system. You can suspend access to a PDF, restrict access to certain IP addresses or countries, change the number of views and prints allowed for specific users, and adjust document expiry dates. This flexibility ensures that even if somehow the worst were to happen, you still have the ability to limit damage.
How does Locklizard differ from PDF password protection?
Locklizard works by combining a passwordless, transparent key-based authentication system with a secure viewer application that is installed on the recipient’s PC or mobile device. There are no complex systems or policies to setup and manage. When a user is created in the Admin System they are sent an email which contains a license link. Clicking on that link will activate their license and lock it to their machine. The same license is unable to be registered elsewhere (unless you specifically allow this), ensuring only authorized machines will ever have access. If a protected PDF is forwarded to an unauthorized person then they will not be able to open it.
Unlike solutions like Adobe Acrobat, the controls enforced by a strong DRM solution aren’t easily bypassed. Your PDF files are encrypted, and are only ever decrypted in memory once they reach the user. Further, because no passwords are used and the secure viewer application does not allow plugins or any other modifications, there’s no way to bypass the controls.
The bottom line – PDF password protection is not secure
It’s really quite simple – password protecting a PDF provides very little protection. As well as the problems with brute-forcing and permissions removal mentioned above, passwords can be easily shared with outside parties without your knowledge. Once one user has the password the security is gone.
At the end of the day, there’s a reason that companies like Microsoft are trying to move away from passwords entirely: they’re insecure and outdated. They might slow an attacker down, but they’re unlikely to stop them entirely.