How to Password Protect a PDF (And Why Most People Do It Wrong)
A colleague sent me a "password-protected" PDF last week. The password was in the same email. I opened it, and the protection only prevented printing — I could still copy all the text, extract pages, and even remove the password entirely using a free tool. This is not security. This is security theater.
Two Types of PDF Passwords
PDFs support two completely different types of password protection, and confusing them is the most common mistake:
Open Password (User Password)
This prevents anyone from opening the file without the password. The entire file is encrypted. Without the password, the content is unreadable — not just locked, but actually encrypted with AES-256. This is real security.
Permission Password (Owner Password)
This restricts what people can do with an already-open file: prevent printing, prevent copying text, prevent editing. But here is the critical problem — the file is not encrypted. The content is fully readable. The restrictions are enforced by the PDF viewer software, and any tool that ignores those restrictions can bypass them instantly.
According to the PDF specification, permission passwords are "advisory" — they rely on software compliance, not cryptographic enforcement.
What Actually Provides Security
| Protection Type | Prevents Opening? | Prevents Copying? | Cryptographically Secure? | Can Be Bypassed? |
|---|---|---|---|---|
| Open password (AES-256) | Yes | Yes (file is encrypted) | Yes | Only by brute force |
| Permission password only | No | In compliant viewers only | No | Yes, trivially |
| Both passwords | Yes | Yes | Yes | Only by brute force |
How to Do It Right
- Use the PDF Protection tool
- Set an open password (this encrypts the file)
- Optionally set permission restrictions (printing, copying, editing)
- Choose AES-256 encryption (not the older RC4)
- Use a strong password — at least 12 characters with mixed case, numbers, and symbols
Password Delivery
Never send the password in the same email as the file. Use a different channel:
- Send the PDF by email, send the password by text message
- Send the PDF by email, call them with the password
- Use a pre-agreed password for recurring exchanges
- Use a secure file sharing service that handles access control
When NOT to Use PDF Passwords
- Public documents. If the document is meant to be freely distributed, passwords just create friction.
- Documents you might lose the password for. There is no "forgot password" for encrypted PDFs. Lose the password, lose the document.
- Large-scale distribution. If 500 people need the same password, it is not a secret anymore.
Encryption Strength
PDF supports several encryption levels:
- 40-bit RC4 — Obsolete. Can be cracked in seconds. Do not use.
- 128-bit RC4 — Weak by modern standards. Avoid.
- 128-bit AES — Adequate for most purposes.
- 256-bit AES — Current best practice. Use this.
Removing Protection
If you have the password and need to remove protection (for example, to merge the file with other documents), use the PDF Unlocker. This requires the correct password — it is not a bypass tool.
Related Tools
As Adobe security documentation emphasizes, PDF encryption with AES-256 and a strong password provides robust protection. But permission-only passwords without encryption are easily circumvented and should not be relied upon for sensitive content.
Protect your PDFs properly.
Try PDF Protection →