PDF Password Protection

PDF Password Protection & Security

Why you should not password protect PDF files

Password protecting PDF files: why use passwords?

As a matter of history, passwords have been used to protect access to computers and access to files. At the time it was the only mechanism that could be implemented – smart cards and biometrics were just a gleam in manufacturer’s eyes (and some say still are).

Passwords have an increasingly bad press as a security mechanism, largely because of the appalling way in which programmers, with little understanding of either security or how human beings behave, have implemented poor systems that make impossible demands on the user.

The usual approach to password management is to insist on something that has 6 or 8 characters and/or numbers and changes regularly. The approach makes people pick easy passwords so they have a snowball in hell’s chance of remembering them.

The same goes when people pick passwords for protecting encrypted PDF documents (or zip files or anything similar). It is difficult to choose a password that you can easily pass on to the recipient and be sure they get it right unless you choose a short and simple one.

And managing passwords is, with these systems, a nightmare. Who has which password? Has it been changed? Can they update it? What happens if you update it? How do you get the password to the recipient securely? If they ‘lose’ it how do you replace it? You cannot stop them sharing the password(s) with other people and you have no way of being able to detect that.

And that creates the problem, because short passwords that are easy to remember and type in are just as easy for an attacker using a dictionary system. They can break it in minutes, if not seconds. Even using an exhaustive search for all numbers and letters for 8 character positions is stunningly quick with a P4 based computer. See Removing PDF Passwords.

Free 15 Day Trial

Protect PDFs – no Passwords

Stop unauthorized access and sharing
Control use – stop copying, editing, printing, screenshots, etc.
Lock PDFs to devices & locations
Expire and revoke PDFs any time

But PDF passwords are still popular (as are zip passwords) even though they have such a weak effect and are so easily passed on to other people who have no authority to use the document(s).

So if you disclose what the password is to a document because you are using the password to drive the PDF security or PDF digital rights management controls then any rights you gave to the recipient can be passed on to anyone else. But if you don’t disclose the password then how can the system be made to work?

And so we have to conclude that PDF password protection is not an effective way to implement your PDF security because it is too difficult to manage and too easy to defeat.

Reasons not to password protect PDF files

Although PDF password protection seems to be a good idea because it’s easy, most implementations are not actually effective. Below are 10 reasons why you should not PDF password protect files.

Password Maintenance
Strong PDF passwords are difficult to set up and use.
Password Administration
You have to administer a list of PDF passwords – ideally one for each document – so this can soon become a burden.
The Adobe PDF Open Password must be shared
The Adobe Acrobat document open password must be given to others in order for users to view PDF files.
The Adobe PDF Permissions Password is totally useless
Once the document open password is known then the permissions password can be broken in seconds, so any restrictions you add to a PDF file (i.e. restrict printing, editing, copying, etc.) are useless. See Removing PDF Passwords.
Passwords are easily shared with unauthorized users
PDF passwords can be easily shared because they are sent in a readable format.
Passwords are easily stolen
PDF passwords can be easily stolen since they are often left exposed in plain text documents so they can be easily remembered or copy/pasted.
You don’t know who has access to your protected PDF files
There is no way of knowing how many people are using a PDF password that has been given away or stolen.
Passwords are easily forgotten
Users often forget passwords so are more likely to try and remove them.
PDF Password Removal tools can remove passwords in seconds
There are many freely available PDF password removal programs that will easily remove Adobe password protection and that includes the document open password. Even applications like Google drive and Google chrome can be used to remove PDF passwords – see Adobe PDF security issues.
16 character ASCII passwords can be cracked in an hour
It takes just 1 hour to crack 16 character ASCII passwords assuming a common password has not been used (password crackers check against a commonly used password list first). If a commonly used password has been used then the time taken is a lot less.

So why do people password protect their PDF files?

The simple answer is laziness. They like to live under the delusion that incompetent or inadequate passwords provide some fig leaf of protection, whilst anybody with any ability to search the Internet can buy products that remove that irrelevant protection immediately. Search for pdf password, pdf password protect, pdf password protection, pdf password security, password protect pdf, password protect a pdf file, how to password protect a pdf, protect pdf with password, on the Internet and at least three of the first ten search queries are for pdf password crackers.

“Document-level password protection technically isn’t DRM (digital rights management). And because of the plug-in architecture of Acrobat and PDF readers, it makes PDF a less-secure platform for DRM.” – quote by ElcomSoft CEO Vladimir Katalov.

At a single click of a button pdf-Recover will remove the password regardless of whether it has been encrypted using the latest 256-bit AES encryption. The result is an exact replica of the original PDF without any security settings whatsoever – pdf-Recover removes all of the restrictions implemented.

So whilst you can use Adobe to password protect PDF files for free, the security you are getting may not be adequate.

If you are still not convinced see Removing PDF Passwords and PDF Security cracks and flaws.

If PDF password protection is not recommended, what should I use to protect my PDF documents?

The key to a secure system is to avoid the user having to know or be involved with passwords at all.

This is best achieved by ensuring that, in a cryptographic system, keys are exchanged securely and secretly, so that even the user is not aware of, and therefore cannot compromise, the security of the system. Only if you take these steps can you be confident that the protection method you have used is resistant to both deliberate and careless compromise.

It is an accepted fact by all security professionals that the people most able to compromise any security system are the authorized users themselves. That is not to say that users are deliberately dishonest or even malicious rather that in most cases they are over helpful or fail to understand the security functions that they are expected to perform.

It is not easy to design a system that does not rely upon the integrity of the user, but those that have been designed specifically to avoid the need for the user to become directly involved, through the use of passwords or direct use of cryptographic keys are to be preferred.

How to protect PDF files without passwords

Safeguard PDF Security and Enterprise PDF DRM do NOT use PDF password protection to protect your PDF documents. They ensure your PDF documents are protected against unauthorized use and misuse without the use of passwords.

Using Safeguard Writer you can protect PDF files without passwords and apply DRM controls to prevent PDF copying, saving, modifying and printing.

Safeguard uses public key technology rather than passwords.

PDF files are individually encrypted locally on your desktop and protected using an unique key that is stored encrypted on a licensing server.
This key is securely and transparently relayed to an authorized client computer (a device that an authorized user has registered their license from) when a protected document is opened.
Keys are locked to authorized devices so they cannot be shared with others.
Protected PDF files cannot be copied, printed or shared unless you have specified otherwise.
You can set document expiry dates and instantly revoke your PDF files.
There are no passwords for users to enter, manage, forget or pass on to others.

Safeguard uses US Gov strength AES 256 bit encryption, public key technology, DRM and licensing controls to ensure your PDFs remain protected at all times. See our DRM Technology.