pdf password protection

Password Protect PDF

PDF Password Protection

  Free Trial & Demo

“Fantastic product… outstanding support.”

“We would recommend Locklizard to others”

“The clear leader for PDF DRM protection”

“Our ebook sales have gone through the roof”

“Simple & secure – protects IPR from theft”

Trusted by:

Using Passwords to encrypt & protect PDF files


Mention PDF Security and people immediately think of either Adobe Acrobat’s PDF password protection or another PDF encryption solution that uses passwords.  But is using PDFs with a password really a secure method of protecting PDFs against unauthorized use and misuse?

Here we cover the advantages and disadvantages of using passwords to encrypt and protect PDFs, how to remove passwords from PDF files, and whether passwords are an adequate method of PDF protection.

  Does PDF Password Protection work?

PDF Password Protection has been around for a long time, but its success rate is rarely analyzed.  Here we look at it in terms of the good, the bad, and the ugly.

  • Good

    • Cheap – you can do it yourself or there are a ton of programs out there if you do a search for ‘password generator’
    • Easy to use, recipients understand the process – ID/password is probably the most common form of access mechanism in use on the planet so there is high user acceptability for ease of use
    • Acrobat lets you encrypt and password protect opening of a PDF and apply restrictions on use (permissions)
    • With most PDF encryption software you can encrypt a PDF using AES encryption at 128-bits or more
    • There are viewers and/or plug-ins for handling PDFs on almost every platform
  • Bad

    • Strong passwords are difficult to set up and use – people cannot relate to them, there are too many passwords to try to remember and ‘security’ products that offer to keep them safe for you provide a single point of failure should anything go wrong
    • Can be shared around easily – since they get sent in readable form to the user they can be copied and forwarded to anyone and anywhere
    • If documents can be used ‘offline’ there is no way of knowing how many people have the password that has been given away/stolen
    • Can be stolen easily – because they have to be used by humans they cannot be protected. The stronger they get, the more likely the human is to keep it in plaintext on their computer and copy and paste it in. Not always the most satisfactory security approach
    • If you can change document permissions as the end user, then nothing is actually protected
    • The choice of controls that can be applied using Adobe Acrobat are rather limited and take no account of the destination environment being used
  • Ugly

    • Password generator and password attack programs have been around a long time as free web downloads and are very effective
    • There are lists of popular passwords, showing that manual password selection is seriously flawed as an approach
    • Some products, such as those from Elcomsoft, target very specific environments – breaking Adobe Acrobat passwords, ZIP, RAR, Microsoft Office XP, PGP Keys, and so on
    • Access is often provided within seconds or minutes using these applications

Some Facts about Passwords

1

hour to crack 16-character ASCII passwords

3

no. of years users keep passwords unchanged

6

characters is the average password length used

123456

is the most popular password

PDF Permissions

Permissions you can apply to PDFs, such as preventing access and stopping printing.  Tips on setting permissions for PDFs.

Remove PDF Passwords

How to unlock PDF files.  The tools available to remove password security and why they are effective at unlocking PDFs.

PDF Password Hints

How to select a strong password for your PDFs and password protect your PDF documents.

  Enforcing the use of strong PDF Passwords


A password is a primary line of security against any unauthorized entry into the PDF document.  It is used as the key to encrypt and decrypt information.  The more powerful a password, the greater the degree of security the PDF document has.  To create a strong password, follow these guidelines:

  • A secure password should be at least 8-9 characters in length (preferably 16 characters).
  • It must not comprise any private data —particularly a first name, company name or surname.
  • It should not be the same as any previously used passwords.
  • It must not be a single dictionary word.
  • It should comprise of attributes from these four fundamental classes: uppercase letters, lowercase letters, numbers, and special characters such as £%$(, etc.

If you follow the basic password protection rules and use strong passwords then your PDF documents should be adequately protected.  Bear in mind, however, that if you give the password to others then they can do what they like with the PDF file.  The password protects other users from opening the PDF document but nothing else.

Additionally, whilst Adobe Acrobat employs another type of PDF password, a restrictions password, this can be easily removed by PDF password recovery software.  So, PDF password protection is really only useful for storing PDFs securely.

5 PDF Password Tips

  How to remove Password protection from PDF files

It is possible to use passwords to protect PDF files from being opened, printed or altered.

In the Adobe PDF standard there are two passwords:

  1. The Document Open password or User password – requires users to type in a password to open the PDF
  2. The Permissions password or master password – lets you alter or remove PDF controls.  Users don’t need a password to open the document but they do need a password to change the restrictions you’ve set.

If the User password is already known, or the User password was not set, then there are literally hundreds of tools available, some free, some paid for, that will remove the permissions password almost immediately – 82 Million results on Google, so take your pick.

So, if you are trying to control document usage you have to set a User password on the document or the permissions password can be removed trivially.

This creates the obvious problem that the people you are sending protected documents to need to have the User password in order to read it.  And once the User password is known, users can then use PDF password removal tools (although there are also other simpler methods – see Removing PDF Passwords) to trivially remove the permissions password and do what they like with the document.  This is exactly the same weakness with sending encrypted documents that do not have DRM controls – the recipient can do what they like and you have no way of stopping them.

In fact, the entire process can be broken down into three steps:

  1. upload the PDF to a PDF password removal service
  2. enter the user password (if applicable)
  3. press a button to remove the permissions password and download the unprotected file


The only time there is some control, then, is if someone (i.e. an unauthorized user) gets hold of a User password protected document, not knowing what the password is.  But even here companies such as Elcomsoft, famous for being the first to break the User password system, provide PDF password removal tools to carry out dictionary attacks (common password words such as ‘password’) and ‘brute force’ attacks (which will get you there eventually unless the password is very strong).

  How to protect a PDF without a password using Locklizard

Locking PDFs with Safeguard is more secure than Adobe password protection & simple.  To protect a PDF & stop unauthorized use, choose the DRM controls:

Safeguard automatically protects PDFs from unauthorized sharing:

  • pDFs are locked from being edited or changed (read only).
  • users cannot copy or save protected PDFs into unprotected files
  • there are no passwords to enter or remove.
  • if a protected PDF is sent to an unauthorized user, they can’t open it.
  • PDF documents are automatically locked to machines (authorized devices).
  • you can restrict use to IP and country locations.
  • stops screen grabbing software from taking screenshots.
  • remotely revoke PDF files at any time.

  Are PDF Passwords safe to use?


No.  The conclusion you have to come to is that although Adobe Acrobat PDF password protection seems easy, most implementations are not actually effective.  That is fine if you just want to appear to have some security.  As an approach, it only starts to become practical with very long passwords together with other controls monitoring or preventing unauthorized use.

The Adobe PDF Security method has been exposed as having an inherent weakness – based on an ‘honor’ system it relies on third party applications to enforce PDF restrictions (i.e. stop printing or copying).  It is therefore trivial to bypasss or remove.  This article covers the Adobe PDF security handler in more detail – How the Adobe PDF Security Handler works.

There are stronger approaches than protecting a PDF with a password to ensure PDF protection.  They start with the introduction of a recipient Identifier (ID) as well as a key, and go on to use cryptography to prevent unauthorised use by identifying hardware and linking it to the license rather than trying to identify the end user (identifying the hardware is not the same as identifying the MAC address given in a network adapter which can be changed or masked relatively easily).

Locklizard for example, protects PDF files without passwords – using keys that are transparently and securely relayed and locked to user devices so they are not exposed to either users or third party applications.  We also use other security mechanisms such as 256-bit AES encryption, licensing controls, and proprietary protection methods to ensure PDF documents remain protected against unauthorized use and misuse no matter where they reside.  See our DRM Technology.

  FAQs

How does Locklizard differ from PDF password protection?

Locklizard combines a passwordless, transparent key-based authentication system with its secure viewer application, which the user installs on their computer, tablet, or mobile phone.  Admins don’t need to set up any complex systems or policies – they just add the user to the admin portal after protecting the document and they are automatically sent an email with their license file.

Once a user activates their license, it is locked to their machine.  If a user does not have a license file that is authorized to decrypt and open the file, they will not be able to do so.  The authorization to view a file can be revoked remotely at any point.

In addition, Locklizard has various irremovable controls that are enforced by its viewer application.  By default, Locklizard Safeguard protects against editing, copying, printing, and screenshotting.  It can also be used to allow a certain number of prints, add watermarks, set a self-destruct timer, and more.

How do I password protect a PDF without Acrobat?

You can use any other PDF editing software, such as Foxit, Sejda, or PDF element to password protect a PDF.  In Foxit, just press ‘Secure Document > Password Protect’ and enter a secure document open password.

How do I password protect a PDF file for free?

You can use one of many online tools.  Adobe has its own online tool, but they all work more or less the same.  Just bear in mind that you’ll be uploading your document to a remote cloud server that could be compromized in the future.

Instead, you may want to try the open-source PDFEncrypt app, which allows you to password protect a PDF locally.

How do I password protect a PDF in Office 365?

Open the file in Microsoft Word and press ‘File > Info > Protect Document > Encrypt with Password’.  Type a strong password, then save it to apply the changes.

How do I send documents securely via email?

Once you password protect a document it will be secure in transit and when it isn’t being used provided the password is strong. However, password protection won’t prevent a user from sharing the PDF and its password with somebody else.  For full protection, you should consider using a PDF DRM solution instead.

PDF Password Protection Articles

A History of PDF Password Protection

PDF documents were first developed during the early 1990s as a means of sharing documents among users who had heterogeneous platforms

Read More →

Overview of PDF Password Protection

PDF Password Protection has been around for a long time but does it work? Here we look at it in terms of the good, the bad and the ugly.

Read More →

Why PDF Password Protection is not secure

Is PDF password protection secure? Most people are of the opinion that PDF password protection helps to keep their PDF data secure.

Read More →

Using Passwords to Protect PDF Files

Increasingly, people have become concerned that documents they send out, particularly in PDF format, may be open to re-distribution or misuse.

Read More →

Removing PDF Password Protection

A well-known technology website offered technical experts the opportunity to crack a 10,000+ entry-encrypted password document and asked

Read More →

How to Password Protect PDF Files

Adobe was the earliest pioneer in producing PDF documents. Over the years they added a number of security controls to protect PDF

Read More →

Cracking Password Protected PDF Files

How Easy It Is To Crack Password Protected Pdfs? Answer: Very. There are a number of advantages in using PDF documents, and chief amongst the

Read More →

Password protecting PDF files

Here we cover the use of a password to protect the opening of a PDF document rather than a permissions password (which is easily removed)

Read More →

PDF Security issues, flaws, and cracks

Information on PDF security issues, vulnerabilities, flaws and cracks in Adobe PDF and other PDF Security products.

Read More →

Customer Testimonials