Password Protect PDF

PDF Password Protection

Using Passwords to protect PDF files

Think of PDF Security and most people immediately think of Adobe PDF password protection. But are using passwords really a secure method of protecting PDF files against unauthorized use and misuse?

Here we cover the advantages and disadvantages of using passwords to protect PDFs, how to remove passwords from PDF files, and whether passwords are an adequate method of PDF protection.

Free 15 Day Trial

Total PDF Security – no passwords

Stop unauthorized access and sharing
Control use – stop copying, editing, printing, etc.
Lock PDFs to devices, countries, locations
PDF expiry & revoke PDFs anywhere, anytime

Does PDF Password Protection work?

PDF Password Protection has been around for a long time, but is rarely analysed to see how successful it is. Here we look at it in terms of the good, the bad and the ugly.

Good
- Cheap – you can do it yourself or there are a ton of programs out there if you do a search for ‘password generator’
- Easy to use, recipients understand the process – ID/password is probably the most common form of access mechanism in use on the planet so there is high user acceptability for ease of use
- Adobe let you password protect opening the PDF and changing the permissions granted, there are viewers and/or plug-ins for handling PDF on almost every platform
Bad
- Strong passwords are difficult to set up and use – people cannot relate to them, there are too many passwords to try and remember and ‘security’ products offer to keep them safe for you, providing a single point of failure should anything at all go wrong
- Can be shared around easily – since they get sent in readable form to the user they can be copied and forwarded to anyone and anywhere
- If documents can be used ‘offline’ there is no way of knowing how many people have the password that has been given away/stolen
- Can be stolen easily – because they have to be use by humans they cannot be protected, and the stronger they get the more the human being has to keep a real copy on a computer and use copy and paste to use it, not always the most satisfactory security approach
- If you can change document permissions as the end user then nothing is actually protected
- The choice of controls that can be applied using Adobe is rather limited and takes no account of the destination environment being used
Ugly
- Password generator and password attack programs have been around a long time as free web downloads and are very effective
- There are lists of popular passwords, showing that manual password selection is seriously flawed as an approach
- Some products, such as those from Elcomsoft, target very specific environments – breaking Adobe passwords, ZIP, RAR, Microsoft Office XP, PGP Keys and so on
- Access is often provided within seconds or minutes using these applications

Some Facts about Passwords

hour to crack 16 character ASCII passwords

no. of years users keep passwords unchanged

characters is the average password length used

123456

is the most popular password

Working with PDF Passwords

How to get PDF Password protection to work. What you must consider if password protecting PDF files & password strength.

Protect PDF Files

Using PDF password protection to stop PDF files from being misused. The options and software available for password protecting PDF files.

PDF Permissions

Permissions you can apply to PDF files, such as preventing access and stopping printing. Tips on setting permissions for PDF files.

Remove PDF Passwords

How to unlock PDF files. The tools available to remove password security and why they are effective at unlocking PDFs.

PDF Password Hints

How to select a strong password for your PDF files and apply PDF password protection to documents.

Enforcing the use of strong PDF Passwords

A password is a primary line of security against any unauthorized entry into the PDF document. The more powerful a password, the greater the degree of security the PDF document has. To create a strong password, follow these guidelines:

A secure password should be at least 8-9 characters in length (preferably 16 characters).
It must not comprise any private data —particular one’s actual name, company name or surname.
It should not be the same as any previously used passwords.
It must not be a single dictionry word .
It should comprise of attributes from these four fundamental classes: uppercase letters, lowercase letters, numbers, and special characters such as £%$(, etc.

If you follow the basic password protection rules and use strong passwords then your PDF documents should be adequately protected. Bear in mind however that if you give the password to others then they can do what they like with the PDF file. So the password protects other users from opening the PDF document but nothing else. Whilst Adobe employ another type of PDF password, a restrictions password, this can be easily removed by PDF password recovery software. So PDF password protection is really only useful for storing PDF files securely.

PDF Password Tips

How to remove Password protection from PDF files

It is possible to use passwords to protect PDF files from being opened, printed or altered.

In the Adobe PDF standard there are two passwords:

The Document Open password or User password – requires users to type in a password to open the PDF
The Permissions password or master password – lets you alter or remove PDF controls. Users don’t need a password to open the document but they do need a password to change the restrictions you’ve set.

If the User password is already known, or the User password was not set, then there are literally hundreds of tools available, some free, some paid for, that will remove the permissions password almost immediately – 82 Million results on Google, so take your pick.

So if you are trying to control document usage you have to set a User password on the document or the permissions password can be removed trivially.

This creates the obvious problem that the people you are sending protected documents to need to have the User password in order to read it. And once the User password is known users can then use PDF password removal tools (although there are also other simpler methods – see Removing PDF Passwords) to trivially remove the permissions password and do what they like with the document. This is exactly the same weakness with sending encrypted documents that do not have DRM controls – the recipient can do what they like and you have no way of stopping them.

So the only time there is some control is if someone (i.e. an unauthorized user) gets hold of a User password protected document, not knowing what the password is. But even here companies such as Elcomsoft, famous for being the first to break the User password system, provide PDF password removal tools to carry out dictionary attacks (common password words such as ‘password’) and ‘brute force’ attacks (which will get you there eventually unless the password is very strong).

Are PDF Passwords safe to use?

The conclusion you have to come to is that although PDF password protection seems to be a good idea because it’s easy, most implementations are not actually effective. That is fine if you just want to appear to have some security. As an approach it only starts to become practical with very long passwords together with other controls monitoring or preventing unauthorized use.

The Adobe PDF Security method has been exposed as having an inherent weakness – based on an ‘honor’ system it relies on third party applications to enforce PDF restrictions (i.e. stop printing or copying). It is therefore trivial to bypasss or remove. This article covers the Adobe PDF security handler in more detail – How the Adobe PDF Security Handler works.

There are stronger approaches than passwords to ensure PDF protection. They start with the introduction of a recipient Identifier (ID) as well as a key, and go on to using cryptography to prevent unauthorised use by identifying hardware and linking it to the license rather than trying to identify the end user (identifying the hardware is not the same as identifying the MAC address given in a network adapter which can be changed or masked relatively easily).

Locklizard for example, protects PDF files without passwords – using keys that are transparently and securely relayed and locked to user devices so they are not exposed to either users or third party applications. We also use other security mechanisms such as encryption, licensing controls, and proprietary protection methods to ensure PDF documents remain protected against unauthorized use and misuse no matter where they reside. See our DRM Technology.

PDF Password Protection	Password Protecting PDFs	History of PDF Passwords	Using Passwords to Protect PDF files
How to Password Protect PDFs	Remove PDF Password Protection	Cracking Password Protected PDFs	Protect PDFs without Passwords
PDF Security Issues	PDF Digital Rights Management	PDF Encryption	PDF Security