BASKET

PDF Security

Security Recommendations

Keep in mind that only PDFs with a user password (required to open the document) are safe from cracking. The following should be avoided because the resulting encryption is weak and could be cracked:

Passwords consisting of 1-6 characters should be avoided since they are susceptible to attacks which try all possible passwords (brute-force attack against the password).

Passwords should not resemble a plain text word since the password would be susceptible to attacks which try all plaintext words (dictionary attack).

Passwords should contain non-alphabetic characters. Don’t use your spouse’s or pet’s name, birthday, or other items which are easy to determine.

40-bit RC4 according to PDF 1.3 (Acrobat 4) encryption should be avoided since it is susceptible to attacks which try all possible keys (brute-force attack against the encryption key).

The modern AES algorithm is preferable over the older RC4 algorithm.

AES-256 according to PDF 1.7 Adobe Extension Level 3 (Acrobat 9) should be avoided because it contains a weakness in the password checking algorithm which facilitates brute-force attacks against the password. For this reason Acrobat X/XI no longer offer Acrobat 9 encryption for protecting new documents (only for decrypting existing documents).

In summary, AES-256 according to PDF 1.7 Adobe Extension Level 8/PDF 2.0 or AES-128 according to PDF 1.6/1.7 should be used, depending on whether or not Acrobat X/XI is available. Passwords should be longer than 6 characters and should contain non-alphabetic characters.