You Need to Read This if You Password-Protect Your PDFs, Top Common Mistakes

April 25, 2014
Kevin Lam

Icon-Small-50@2xIndustries like accounting, healthcare and legal are getting more and more savvy about protecting their customers data.  One of the most common methods we see professionals today use is password-protected PDFs (great, good on you!).

Here are however some of the most common PDF password mistakes we’ve seen that can leave your customer’s data exposed and how you can avoid them.

The 15 Second Tutorial on PDF Passwords

(If you already understand how PDFs are protected you can skip this section).  When you password protect a PDF there are two possible passwords that you can set:

  • User password
  • Owner password

The User password, or sometimes called the “open” password is used to open a PDF file if a password is set.

The other password, the Owner password, is used to set what users can do with the PDF. It controls things like if a user is allowed to print, copy or modify a PDF. Sometimes this is referred to as a “permissions” password. Now for the common mistakes.

Mistake #1: Using a Weak Password

The core of PDF password security is (you guessed it) the password.  It’s literally the only thing that is standing between your data and an identity thief.  Problem is, users are still selecting super weak passwords like:

  • Last 5 digits of your customer’s social security number
  • Birth year
  • Or something that could be easily guessed by a human or computer

Kevin’s Recommendation: Always select a strong password to protect your PDF documents.  Make sure you use a password that’s at least 8 characters long and has a combination of letters (upper and lowercase), numbers and symbols.

Mistake #2: Using a Blank Owner Password

When protecting PDFs, most users will only set the User password. If you’re not careful, some applications automatically set the Owner password to blank if none is specified. This is a big problem, because some PDF readers can just bypass the User password and use the Owner password to open the document. Which potentially exposes your customer’s personal information even with a User password set.

Don’t believe me?  Try opening this PDF document.  It has a User password of “password123” set on it, and a blank Owner password.  When you try to open this with Adobe PDF Reader, you get correctly prompted for a password:

AdobeReaderPDFPasswordPrompt

However, if you use the Mac OS X Preview app, Preview will simply bypass the User password and use the blank Owner password to open the “protected” document without ever prompting for a password. That’s a super convenient feature for users, but bad news for your customer’s personal information and your reputation.

MacOSXPreviewByUserPasswordBlankOwnerPassword

Kevin’s Recommendation: Whenever you are using passwords to protect sensitive PDF documents, be sure to set the User password and the Owner password with something strong.  It’s OK to set the User and Owner password to the same thing (not ideal, but better than nothing), just don’t leave the Owner password blank.

Mistake #3: Using Weak Encryption Algorithms

When you password-protect a PDF, that password you enter in is used to generate an encryption key. That key is then used with an encryption algorithm to protect the document. Possible encryption algorithms include:

  • 128-bit or 256-bit Advanced Encryption Standard (AES), Adobe 7 and higher
  • 128-bit ARC4 (also known as Alleged RC4), Adobe Reader 6 and above
  • 40-bit ARC4, Adobe Reader 3 and above

PDFEncryptionARC4

To help ensure the greatest compatibility, most PDF creation tools will choose 128-bit ARC4 by default or lower. Slight problem: as of 2013, RC4 is regarded as a weak algorithm.  In fact, Microsoft recommends not using this algorithm whenever possible. What encryption algorithm are you using to protect your PDFs?

Kevin’s Recommendation:  Whenever possible, set your encryption algorithm to 128-bit or 256-bit Advanced Encryption Standard (AES). Don’t assume that the strongest algorithm is automatically chosen for you.

That’s it for this week. I hope you learned something new about PDF password protection, and how to keep your PDFs safer.  Until next week,

Kevin Lam signature

–Kevin Lam

Co-Founder, IronBox