Two Passwords, Two Very Different Things
Most people think of PDF password protection as a single feature: you set a password, and people need it to open the file. That's partially correct — but the PDF format actually supports two distinct types of passwords, and they do very different things.
The user password (also called the "open password") is what most people think of. Without it, the PDF won't open at all. The contents are encrypted and inaccessible.
The owner password (also called the "permissions password") is different. It doesn't prevent opening the file. Instead, it restricts specific actions: printing, copying text, editing, or extracting pages. The document opens normally, but certain features are locked.
Here's the critical thing most people don't know: owner password restrictions are trivially bypassable. They rely on the PDF reader voluntarily enforcing the restrictions. Adobe Acrobat respects them. Many other tools — including open-source PDF libraries — simply ignore them. If you've ever wondered why someone could copy text from a PDF you "protected" against copying, this is why.
If you genuinely need to prevent someone from accessing your document, use the user (open) password. Owner passwords are polite suggestions, not real security.
The Three Eras of PDF Encryption
PDF encryption has evolved significantly since the format was created in 1993. Understanding the generations helps you assess how secure your protected files actually are.
40-bit RC4 (PDF 1.1–1.3, 1990s). The original PDF encryption. RC4 is a stream cipher that was fast and simple, but 40-bit keys are absurdly short by modern standards. A 40-bit key can be cracked in seconds using commodity hardware. If your PDF was created with an older tool and uses this encryption, the password protection is essentially decorative.
128-bit RC4 (PDF 1.4–1.5, 2000s). A significant improvement in key length, but still using the RC4 algorithm. While 128-bit keys are far stronger, RC4 itself has known vulnerabilities. It's been deprecated in PDF 2.0 and is no longer recommended for new documents.
128-bit and 256-bit AES (PDF 1.6+, 2006–present). AES (Advanced Encryption Standard) is the modern standard, ratified by NIST and used globally for everything from government communications to banking. 256-bit AES is what current tools should be using. It's the same encryption standard that protects classified government information.
What Encryption Actually Protects
When you set a user password with AES-256 encryption, the document's contents are genuinely encrypted. Without the password, the data is computationally infeasible to recover — it would take longer than the age of the universe with current technology.
But encryption protects the *contents*, not the *existence* of the file. An encrypted PDF on a shared drive is still visible as a file. Someone can see its filename, file size, page count (in some cases), and metadata like creation date. They just can't read the contents.
Also important: encryption protects data *at rest*. Once you open the PDF and enter the password, the decrypted content exists in your computer's memory. If someone has access to your device while the file is open, encryption doesn't help.
Common Misconceptions
"I password-protected it, so it's secure." Only if you used the user password (not just the owner password) and your tool uses AES encryption. Many tools still default to weaker encryption methods.
"The password is strong, so the encryption is strong." Not necessarily. A 20-character password with 40-bit RC4 encryption is still trivially crackable — the attacker bypasses the password entirely and attacks the weak encryption key directly.
"Encrypted PDFs can't be opened by anyone but me." Anyone with the password can open it. If you email the PDF and the password in the same channel, you haven't gained much security. Send the password through a different channel (text message, phone call) for meaningful protection.
"Removing password protection from my own PDF is illegal." No. If you know the password and own the document, removing the protection is entirely legal. Tools that remove PDF passwords are designed for legitimate use — like when you've inherited a protected file and know the credentials but want an unprotected copy for your records.
Choosing the Right Protection
For casual protection (preventing accidental viewing by the wrong person): any user password with modern encryption is sufficient. The goal isn't to resist a determined attacker — it's to keep honest people honest.
For sensitive documents (financial records, legal contracts, medical data): use 256-bit AES encryption with a strong password (12+ characters, mixed case, numbers, symbols). Share the password through a separate channel. Consider whether the document needs to be a PDF at all — encrypted zip archives and secure file-sharing services may be more appropriate.
For preventing copying or printing: understand that owner passwords are unenforceable. If someone can view the document, they can screenshot it, photograph it, or use a tool that ignores permission flags. True copy protection doesn't exist for any document format.
The Bottom Line
PDF encryption is a genuine security tool when used correctly — but it's not as simple as "set a password and forget it." The type of password matters, the encryption algorithm matters, and your expectations should match what the technology actually provides. Understanding these distinctions is the difference between real security and a false sense of it.