How good is PDF password protection?

It appears that Word's password protection is not really good, at least until Office 2003, if I read this SU entry correctly. I'm under the impression that Acrobat's PDF password protection should be better (it says 128-bit AES for Acrobat 7 and higher). Is that true?

Of course, it depends on the strength of the password used, but assuming I protect my PDF with a password like sd8Jf+*e8fh§$fd8sHä, am I on the safe side?

Like, say, for sending confidential patient information - not really valuable, but potentially highly sensitive.


Solution 1:

From the Adobe site - Securing documents with passwords:

The Acrobat 3 And Later option uses a low encryption level (40‑bit RC4), while the other options use a high encryption level (128‑bit RC4 or AES). Acrobat 6.0 And Later lets you enable metadata for searching. Acrobat 9.0 And Later encrypts the document using the AES encryption algorithm with a 256-bit key size.

So apparently 7 will use 128-bit AES. I'd say you're very safe, especially with a password like that. The National Institute of Standards and Technology agrees:

Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key.

Solution 2:

Of course, it depends on the strength of the password used, but assuming I protect my PDF with a password like sd8Jf+*e8fh§$fd8sHä, am I on the safe side?

With such a password your documents will be pretty much well protected. Especially under Acrobat 7 and 8.

Under Acrobat 9, Adobe made changes to the underlying algorithm. And while they upgraded the encryption to 256-bit AES, the algorithm allows for brute force and dictionary attacks to waste less processor cycles on each password interaction. You can read about it in Adobe's blog.

Necessarily, that type of password will be a strong one under Acrobat 9 and will render any brute-force or dictionary attack (pretty much the only means of breaking a pdf protected document) very inefficient methods. And while it needs to be said these tools will perform faster under Acrobat 9, it would still be years before a common user machine could eventually break your password.


One last comment, the size of your password will be the most determining factor in protection, as well as the unique count of characters. So, you can expect to provide a password such as mypaSwURD_frOM2009onMunTH#16, which is easier to memorize (includes purposed typos) and still obtain the same high security level.