[shareaholic app="follow_buttons" id="19456713"]
This article covers the use of a password to protect the opening of a PDF document rather than a permissions password (which can be easily removed).
If you want to go down the route of applying password protection to PDF documents (in order to share them securely with others), then you need to consider the following points before you start:
So first things first – we need to know how long/complicated we need to make the password if it’s going to prove of any value in protecting your PDF file.
An interesting web article on this can be found at Password security and a comparison of Password Generators.
It starts off by telling you that an 8 character password (a-z, A-Z, 0-9) takes about 13 minutes to crack (guaranteed result by brute force alone), and a 10 character one around 500 hours. So a password has to be longer than 8 characters if it to be realistic with today’s technology. Pass phrases (a series of words rather than characters) are no more and no less secure than anything else, but they might be easier for the recipient to type in, so that is a plus. Do remember that the recipient has got to type it in (or copy and paste from their preferred password vault).
Also, if you have a ‘strong’ password (more than 10 characters), changing it regularly hardly increases its security – adding another character does – but if it is already ‘strong’ then you create more user chaos by changing it than leaving it alone – because the recipient just has more passwords to cope with.
So far we have addressed the first two bullet points. You can make strong passwords, and if you do then you should stick with them and not change regularly.
Common password generators such as SecureSafe Pro Password Generator follow a strategy of you setting a master password and then they create ‘derivative’ passwords that will remain constant for that master password – this might be very handy if you have a fixed group of recipients. It means that you don’t need to store all the passwords you have created and sent out. Enter the same master password (maybe the recipient’s name or email) and you get the same list of derivative passwords. Otherwise, every time you generate a new password you need to store it and the recipient’s identity somewhere so you can recover it (or if someone loses a password and you have to create a new version of the password protected document for them and remember what you were doing). This works OK for small groups that don’t change.
Other approaches, such as that from SecureSafe Pro Password Manager let you do a lot of configuring and then generate a batch of as many passwords as you could want. This approach is handy if you want to just pick up the next password in the set. But there is no management built in. You just get a list of strong passwords.
Actually transferring passwords into PDF documents can be automated, but you would need to build your own engine to do this. It would need a Systems Developer Kit (SDK) to allow you to manipulate the PDF document. There are many SDK’s out there, and the licensing can be a bit complicated as to how many toolkits you can install and how many documents you can process. An example of a royalty free SDK that can secure, sign and protect PDF comes from Debenu or PDF toolkit.
So the administration of passwords is starting to get a bit complicated? And none of the common tools we have looked at appear to have a method of distributing the passwords once they have been generated. And distributing means getting them into the PDF document as well as getting them to the recipient of the protected pdf document so they can open it when it arrives.
This gets us to the question of what happens when a user ‘loses’ or forgets a password to a document. Do you send something completely new or do you lookup somewhere what you used last time and re-create the document, or do you rely on your email history to find what you originally sent them and send that again. The opportunities are endless, as is the amount of manual work created when coping with these problems. So far we have not seen an organized PDF password management system.
Can you stop people swapping passwords? No. Rather like digital signatures, if giving them away does not stop people using the documents then who cares. It needs a measure of inconvenience such as a watermark that identifies the authorised user, or a control that stops more than one person at a time from using a document, to persuade people not to give away passwords. Also, allowing users to redefine the security controls based on passwords is basically unsound. If any outside user can change the security controls then it does not take much to create documents that are not controlled
Maybe it is symptomatic, but there are far more password remover applications than password generator applications.
So you can make PDF password protection work for small groups if you trust the users NOT to share the documents and passwords with others, but making it manageable, efficient and scalable is not easy.