PDF Password Encyrption: An Ineffective Security Measure

The use of Adobe PDF password protection and certificate encryption causes no prevention or restriction to document sharing.  Adobe PDF password protection allows for a user to password protect their documents from unwanted access. This protection is optional to allow specific access to those who need it without making a document completely public.

Also Read: How to Reduce PDF on Mac Without Losing Quality? Compress PDF Mac!!

Password protection like this is very similar to the passwords that protect our other devices such as our phones and computers. Once a user enters the correct password the document is decrypted and is available for view. Beyond this, there are disadvantages to the use of password protection and certificate encryption that makes them an ineffective security measure for PDF document protection.

The reality of this is once a user has a password, they can easily pass it on to another person to use, allowing for them to edit and access a document.  Adobe Acrobat files are decrypted when the user provides the correct password.  No further checks are performed to determine whether the user should have the password – where they are opening it from, whether it is from a recognized device/network, etc.  As a result, anybody who has the password can pass it along with the PDF file to anybody they like (intentionally or via social engineering/phishing).  Most PDF readers have no tracking, so you won’t even know that it has happened …

Alternatively, an authorized user can just remove the PDF password from the file.

Anybody that has the open password can remove it using the security panel in Adobe Acrobat or any number of free PDF password remover tools.  They can then share the file as if it were never protected in the first place. Someone who has the current authorization to a document has the ability to give that authorization to anyone else, including someone who may cause harm to a document. There are no protocols in place meant to determine if someone should or should not have access to the document.

It is easy to get in and out of a password protected document through outside access. Not only that, but it’s even easier to guess the password of a protected document due to their frequent reuse and simplicity – the stronger you make a password the harder it is to remember.  A strong password should have the following characteristics: 16 or more characters that are a combination of letters, numbers and special characters, a password that is unshared with another account, a password that contains no personal information (such as an address, birthday or a phone number) and contains no information of easy access (such as the names of pets or children) and it contains no repeated or common words, and no consecutive letters or numbers.

It may seem practical to just choose a password of the highest security but even that carries risks. Using repeat passwords or writing down complex passwords are two of the most common ways a password can be found and compromised. Not only that, sending a password in an email, keeping a running list, or even keeping a journal of your passwords makes them easy to find and use. Additionally, phishing and social engineering are common ways for an unauthorized user to receive a password for a confidential document and access it. Even the strongest of passwords can be broken with the right software and time.

As for certificate encryption, it is more secure than password encrypted documents since there are no passwords to be distributed.  This allows for certain users to be identified on the bases of their certificate and not based on a password that can be shared with other unauthorized users. However, there are disadvantages to certificate encryption. However, once a user can open the PDF, they can save it to another unprotected PDF file.

Then there are PDF restrictions or permissions to prevent editing, copying and printing.  Unfortunately, these can be instantly removed using freely available password cracking or recovery tools. Also, PDF restrictions are not enforced by all PDF Readers. Some PDF Viewers and other applications completely ignore them, so users can just use Mac Preview, Google Docs, or the appropriate PDF Reader to view ‘protected’ PDF documents and no restrictions will be applied.”

Once a user has access to a document they can remove the security measures and share it with anyone they wish. Anybody can print, edit, or even make copies of a document that may be confidential and share the information contained inside. This causes a serious data breach for those protecting valuable information, leading to a collection of privacy-concerned and expensive problems.  While it’s harder to gain access to a certificate protected document than it is a password protected one, it is still possible for authorized users to share unprotected copies. What is the point in applying such protections if they provide no actual protection?

The use of password protection and certificate protection provide simply no protection for PDF documents. Password protection is easily compromised due to the simplicity of password hacking and the common phishing and social engineering attacks users experience. It is so easy to share a password with the wrong person, whether willingly or accidentally.

Even a well-designed password meeting all requirements may still be compromised with the help of programs designed to decode such passwords. Certificate encryption carries no additional security in preventing sharing. It is easy to save a certificate encrypted PDF as an unprotected one and share it with others. Any user can gain access to both password protected and certificate protected documents and copy, share or use the data within them.

It is a simple process and has no protection under the use of encryption or password protection. This can cause serious data and security issues for users who are attempting to protect sensitive data. There is no use in using such ‘protections’ when they are simply providing no actual protection to documents or files of even basic importance, let alone those of high security. Certificate encryption and password protection offer no real security to PDF documents and a user’s ability to read, write or share them.

Leave a Reply

Your email address will not be published. Required fields are marked *