[shareaholic app="follow_buttons" id="19456713"]
If you are going to use passwords to protect PDF documents then there are a few things that you need to keep in mind.
Don’t pick obvious words as passwords (password, master, boss) or even single dictionary words.
There are tools available on the Internet, such as those from Elcomsoft that contain what are called dictionary attacks. Basically they have a massive dictionary of popular and common passwords, and they will try all of them to see if any work. The process takes maybe a few minutes to run through thousands of these. Typical passwords NOT to use include: 123456, 123456789, password,. admin, 12345678, qwerty, 1234567, 111111, photoshop, 123123, 1234567890, 000000, abc123, 1234, adobe1, macromedia, azerty, iloveyou, aaaaaa, 654321, fred. If the common passwords fail they switch to using words from dictionaries, often in several different languages.
Current technology cracking tools use a technique called brute force – they start with a password that is a blank field, add 1 bit and try that. If it fails they add another bit and try again until they find it. Which is guaranteed! So the shorter the password the quicker the cracker gets there.
At the other end of the process you have an end user who has to enter the password. So you can’t use characters that do not display on screen or are hard to find on a keyboard. You don’t want a situation where recipients can only get the passwords in by copy and paste (and maybe not then if the characters don’t display properly). That makes a system unusable.
Although people are good at remembering things – phone numbers, post codes, they do not remember 15 random characters very easily. And especially if they have more than one password to remember. Lots of PC’s and tablets are getting better at remembering passwords for you, but that also creates a point of weakness if all the passwords are in the one place. There is then only one place to crack.
Using two normal words separated by a special character can work well and can be remembered. Try such things as enable*freeze or money$strength for instance. They are long and a cracker cannot assume they are related words, or what length they might be.
Many systems recognize that passwords get forgotten or lost. And you need some way of checking that the person requesting a replacement password actually is who they claim. Many systems set up test questions and ‘secret’ answers, and ask the claimant for a series of characters from a selection of the questions before either resetting or disclosing the password. This can get a bit complicated and means everyone needs to keep more and more password information, so that can be a problem.
Never ever ever tell any machine that is not your own to ‘Remember Me.’ It doesn’t matter how well you know the owner, and certainly not in a public machine (like an Internet café or a conference workstation). There’s not a lot of point going to the trouble of creating a security system and then handing the keys to anyone on the planet!