Recommendations

Security Recommendations

Keep in mind that only PDFs with a user password (required to open the document) are safe from cracking. The following should be avoided because the resulting encryption is weak and could be cracked:

  • Passwords consisting of 1-6 characters should be avoided since they are susceptible to attacks which try all possible passwords (brute-force attack against the password).
  • Passwords should not resemble a plain text word since the password would be susceptible to attacks which try all plaintext words (dictionary attack).
  • Passwords should contain non-alphabetic characters. Don’t use your spouse’s or pet’s name, birthday, or other items which are easy to determine.
  • 40-bit RC4 according to PDF 1.3 (Acrobat 4) encryption should be avoided since it is susceptible to attacks which try all possible keys (brute-force attack against the encryption key).
  • The modern AES algorithm is preferable over the older RC4 algorithm.
  • AES-256 according to PDF 1.7 Adobe Extension Level 3 (Acrobat 9) should be avoided because it contains a weakness in the password checking algorithm which facilitates brute-force attacks against the password. For this reason Acrobat X/XI/DC no longer offer Acrobat 9 encryption for protecting new documents (only for decrypting existing documents).

In summary, AES-256 according to PDF 1.7 Adobe Extension Level 8/PDF 2.0 should be used. Passwords should be longer than 6 characters and should contain non-alphabetic characters.