It is possible to use passwords to protect PDF files from being opened, printed or altered.
In the Adobe PDF standard there are two passwords:
- The Document Open password or User password – requires users to type in a password to open the PDF
- The Permissions password or master password – lets you alter or remove PDF controls. Users don’t need a password to open the document but they do need a password to change the restrictions you’ve set.
If the User password is already known, or the User password was not set, then there are literally hundreds of tools available, some free, some paid for, that will remove the permissions password almost immediately – 82 Million results on Google, so take your pick.
So if you are trying to control document usage you have to set a User password on the document or the permissions password can be removed trivially.
This creates the obvious problem that the people you are sending protected documents to need to have the User password in order to read it. And once the User password is known users can then use PDF password removal tools (although there are also other simpler methods – see Removing PDF Passwords) to trivially remove the permissions password and do what they like with the document. This is exactly the same weakness with sending encrypted documents that do not have DRM controls – the recipient can do what they like and you have no way of stopping them.
So the only time there is some control is if someone (i.e. an unauthorized user) gets hold of a User password protected document, not knowing what the password is. But even here companies such as Elcomsoft, famous for being the first to break the User password system, provide PDF password removal tools to carry out dictionary attacks (common password words such as ‘password’) and ‘brute force’ attacks (which will get you there eventually unless the password is very strong).