PDF Password Protection and Encryption
PDF Password protection is an optional feature with some software when creating a PDF file. A User password may be added by the file creator to control opening and viewing the file. An Owner password may be added by the file creator to control file privileges.
To receive the maximum benefit of PDF password protection, security and encryption, the file creator must understand encryption choices and how to use PDF password features properly.
PDF Password for User
The file creator may add a User Password (open password) to control opening and viewing the PDF file. The User will need the PDF file and the User Password, and could give the file and password to an unauthorized person. Or, the user may not keep the password secure, allowing others to discover the password and open the file. Failure to keep the user password secure is the biggest security risk for PDF password protection.
The file creator must add a long, strong, unique password for maximum PDF file protection. An unauthorized person might attempt to crack the password by guessing with frequently used passwords, birth dates, pet names, or by using a dictionary attack that tries every word in the dictionary, or a brute force attack that tries every combination of possible passwords.
The file creator must not use simple, short, frequently used, or previously used passwords, must not use any words found in the dictionary, and must create a long, strong, unique password, comprised of upper case and lower case letters, numbers and special characters.
A PDF file that only includes an Owner Password to limit file privileges, but does not include a User Password to restrict opening or viewing the file, is not secure. Once the file is opened, software tools are available to allow hackers and unauthorized persons to remove the owner password to gain full access to file privileges.
Each user, or group of users, could be issued a unique protected version of the PDF file, with a unique password, by creating a unique file name, such as appending a document serial number or user name.
CompanyReport-SN001.pdf, User Password1: long-strong-pw001
CompanyReport-SN002.pdf, User Password2: long-strong-pw002
PDF Password for Owner
A PDF file Owner Password may be added, with or without a User Password. The Owner Password is needed to change file privileges for users regarding printing, editing, copying, adding comments or form fields, and changing or removing the encryption method.
But, these file privileges only apply after the file is opened. A User Password is not required, and often is not added by the file creator. That allows any person to open the file and then use software tools to remove the Owner Password to gain full file privileges.
PDF File Encryption
Encryption is the use of a mathematical system (algorithm) to keep information secret from anyone not authorized to use it. Encryption uses a secret encryption key to scramble information stored in files (ciphertext) so that only persons with the correct encryption key can view the unscrambled contents (plaintext).
Encryption keys are usually very long, and their values are almost random, making them almost impossible to guess.
RC4 Encryption Obsolete
Older versions of PDF files used weaker encryption methods known as 40-bit and 128-bit RC4 (Rivest Cipher 4), a fast and simple proprietary symmetric stream cipher, designed in 1987 by Ron Rivest of RSA Security.
RC4 encryption is now susceptible to attacks, is outdated, and should not be used for confidential PDF files or Wi-Fi. It was used in wireless WEP (Wired Equivalent Privacy), starting in 1997, which was later replaced in 2003 by WPA (Wi-Fi Protected Access), and WPA2 in 2004.
In 2008, the Payment Card Industry (PCI) updated their Data Security Standard (DSS) to prohibit the use of WEP when processing credit cards.
As computers have become faster and more powerful, a brute force attack, trying all possible combinations of an RC4 encryption key, takes much less time and may be completed in minutes, hours or days. [Some hackers now use the fast GPU (graphics processing unit) in video cards to crack passwords at faster speeds than the main computer chip (CPU).]
AES-128 and AES-256 Encryption Used by Government
Newer, stronger encryption methods now use 128-bit or 256-bit AES (Advanced Encryption Standard) algorithms, using a modern block cipher, specified in 2001 in the National Institute of Standards and Technology (NIST) Federal Information Processing Standard, FIPS-197.
AES, also known as the Rijndael cipher, was developed by two Belgian cryptographers, Vincent Rijmen and Joan Daemen, and submitted to NIST during the AES selection process. It was chosen for its fast speed and low memory requirements.
Since 2002, government agencies have used AES encryption to protect confidential files. NIST states that AES-128 or AES-256 encryption is considered adequate for Federal Government applications up through Classified Secret. Top Secret military applications may demand AES-256. AES replaced the older Data Encryption Standard (DES) published in 1977.
Businesses should use AES-128 encryption, with long, strong, unique passwords of 32 characters, to provide strong PDF file security.
Longer encryption keys and passwords are exponentially more difficult to crack than shorter ones. A random key with a length of N bits can be broken in a maximum of 2^N tries, and on average, half of that. With currently available computing power available to hackers, a brute force attack on AES-128 encryption is not a risk to worry about.
Note: Since 2010, most Intel Core i5/i7 and some Core i3 microprocessors now include additional instructions, known as AES New Instructions (AES-NI), to speed up AES encryption and decryption by 3x-10x.
Using AES-128 encryption is evidence that the business is using reasonable care, or a high standard of care, to protect confidential data, including customer or client data.
Since the cost of some PDF encryption software is free or low, and it is easy to use, businesses have a low burden in expense and time to use AES encryption. Continued use of older, weaker RC4 encryption, unknown proprietary encryption, or no encryption, may be considered as evidence of cybersecurity negligence, creating liability for damages if there is a data breach.
PDF Password Security
Passwords must be kept secure. Each PDF document should use a unique password. A password manager/vault, such as LastPass, with 2-factor authentication, and a USB YubiKey, may be used to generate and store long strong passwords.
If a password-protected PDF file is sent as an email attachment, the password must not be included in the same email. It should be delivered by a separate phone call, text message, secure website account, postal mail, or personal delivery.
Adobe Acrobat Encryption Methods
The following list shows the history of encryption in Adobe Acrobat:
Acrobat 2-4, PDF 1.1-1.3, RC4 40-bit
Acrobat 5, PDF 1.4, RC4 128-bit
Acrobat 6, PDF 1.5, RC4 128-bit, with different encryption method
Acrobat 7, PDF 1.6, AES 128-bit
Acrobat 8, PDF 1.7, AES 128-bit, ISO-32000-1
Acrobat 9, PDF 1.7, AES 256-bit, Adobe Extension Level 3, with weakness in password protection
Acrobat X,XI,DC(XII), PDF 1.7, AES 256-bit, Adobe Extension Level 8, with stronger password protection
Acrobat versions 2 thru 8 supported a maximum password length of 32 characters. Beginning with Acrobat version 9, passwords may now be up to 127 characters.
Note: To maintain backward compatibility with older PDF software versions, limit the maximum password length to 32 characters.
Note: Avoid Acrobat version 9, due to a weakness in password handling that makes it easier to crack the password.
Users must use Acrobat Reader 7, PDF 1.6, or later, to support AES-128 bit encryption. Users may download the latest version of Adobe Acrobat Reader for free.
PDF Encryption Software
Adobe Acrobat software may be used to add strong encryption and passwords to PDF files, but it is expensive for a small business. Adobe Acrobat DC (Document Cloud) (version 12) Standard desktop full version annual plan price is $156, the Pro desktop full version annual plan price is $180.
Our choice for adding PDF password protection with AES 128-bit and AES 256-bit encryption is PDF-XChange Editor from Tracker Software.
This free PDF editor download includes an extensive list of features. It also allows users to try the extended functionality offered in the paid Pro version of PDF-XChange Editor in evaluation mode, for free.
The Pro version price is $43.50, for a single-user license, and includes a free bonus of PDF-XChange Lite, for the creation of Adobe compatible PDF files from virtually any Windows application.
Do not use PDF encryption products that do not specify the exact type or strength of encryption used.
PDF password protection, AES-128 encryption, and password security rules should be part of a Written Information Security Policy (WISP).