PDF Password Protection has been around for a long time, but is rarely analysed to see how successful it is.
Here we look at it in terms of the good, the bad and the ugly.
Cheap – you can do it yourself or there are a ton of programs out there if you do a search for ‘password generator’;
Easy to use, recipients understand the process – ID/password is probably the most common form of access mechanism in use on the planet so there is high user acceptability for ease of use;
Adobe let you password protect opening the PDF and changing the permissions granted, there are viewers and/or plug-ins for handling PDF on almost every platform.
Strong passwords are difficult to set up and use – people cannot relate to them, there are too many passwords to try and remember and ‘security’ products offer to keep them safe for you, providing a single point of failure should anything at all go wrong;
Can be shared around easily – since they get sent in readable form to the user they can be copied and forwarded to anyone and anywhere;
If documents can be used ‘offline’ there is no way of knowing how many people have the password that has been given away/stolen;
Can be stolen easily – because they have to be use by humans they cannot be protected, and the stronger they get the more the human being has to keep a real copy on a computer and use copy and paste to use it, not always the most satisfactory security approach;
If you can change document permissions as the end user then nothing is actually protected;
The choice of controls that can be applied using Adobe is rather limited and takes no account of the destination environment being used.
Password generator and password attack programs have been around a long time as free web downloads and are very effective;
There are lists of popular passwords, showing that manual password selection is seriously flawed as an approach;
Some products, such as those from Elcomsoft, target very specific environments – breaking Adobe passwords, ZIP, RAR, Microsoft Office XP, PGP Keys and so on;
Access is often provided within seconds or minutes using these applications.
So the conclusion you have to come to is that although PDF password protection seems to be a good idea because it’s easy, most implementations are not actually effective. That is fine if you just want to appear to have some security. As an approach it only starts to become practical with very long passwords together with other controls monitoring or preventing unauthorized use.
There are stronger approaches than passwords to ensure PDF protection. They start with the introduction of a recipient Identifier (ID) as well as a password, and go on to using cryptography to prevent unauthorised use by identifying hardware and linking it to the license rather than trying to identify the end user (identifying the hardware is not the same as identifying the MAC address given in a network adapter which can be changed or masked relatively easily).