PDF offers multiple security mechanisms, but they're widely misunderstood. An "owner password" that prevents printing can be removed in seconds, while a "user password" with AES-256 is essentially unbreakable. This guide explains what actually protects your data.
Two Types of PDF Passwords
PDFs support two distinct passwords, each with very different security properties:
| Feature | User Password (Open Password) | Owner Password (Permissions Password) |
|---|---|---|
| What it does | Prevents opening the PDF entirely | Restricts actions (print, copy, edit) but allows viewing |
| Security level | Strong — content is encrypted | Weak — content is NOT encrypted in older formats |
| Can be bypassed? | Only by brute-force or knowing the password | Trivially removed by many tools |
| Use case | Confidential documents that must not be viewed without authorization | Discouraging casual copying/printing (not security) |
⚠️ Critical insight: An owner-only password does not encrypt the document content when using older encryption (40-bit RC4 or 128-bit RC4). The PDF viewer simply checks a flag and hides the "Print" button. Anyone with a basic PDF library can ignore this flag and access the full content.
PDF Encryption Algorithms
PDF has used several encryption algorithms over its history:
| Algorithm | PDF Version | Key Length | Current Status |
|---|---|---|---|
| RC4 | PDF 1.1+ | 40-bit | ❌ Completely broken — crackable in seconds |
| RC4 | PDF 1.4+ | 128-bit | ⚠️ Weak — feasible attacks exist, not recommended |
| AES | PDF 1.6+ | 128-bit | ✅ Secure for most purposes |
| AES | PDF 2.0 | 256-bit | ✅ Strong — current best practice |
When setting a user password, always choose AES-256 if your tool supports it. If you must use an older format, AES-128 is the minimum acceptable level.
Redaction: Removing Sensitive Content
Redaction is the permanent removal of content from a PDF. Done wrong, it's a security disaster. Done right, it's irreversible.
What Proper Redaction Does
- Permanently removes the text or image from the PDF's internal data streams
- Replaces the redacted area with a solid black (or colored) rectangle
- Removes the underlying character data so copy/paste and search return nothing
- Strips the content from document metadata and any associated XMP data
What Fake "Redaction" Looks Like
These common mistakes look like redaction but leave the original content fully intact:
- Black highlight — using a highlight annotation in black. The text is still there underneath; select-all + copy reveals it.
- Black rectangle annotation — drawing a shape on top. The original content is untouched in the page stream.
- Black text box overlay — adding a text box filled with black. Removing the annotation reveals everything.
- Screenshot and paste — taking a screenshot and pasting it over the sensitive area. If the original still exists in the layer below, it can be extracted.
💡 Real-world failures: In 2014, a US government filing used black rectangles over classified content — which anyone could copy/paste to expose. In 2019, Paul Manafort's lawyers filed a "redacted" PDF to court where selecting text revealed the hidden content. Always verify redaction by trying to select/copy the redacted area.
Digital Signatures
A digital signature proves two things:
- Authentication — the signer is who they claim to be (verified through a certificate chain).
- Integrity — the document hasn't been modified since it was signed (cryptographic hash verification).
Key facts about PDF digital signatures:
- They cover a specific byte range of the PDF — any modification (even adding a comment) invalidates them.
- Multiple signatures are supported — each covers the state of the document at the time it was signed.
- They are NOT encryption — a signed PDF is still readable by anyone. Signing provides proof, not confidentiality.
- Merging, splitting, rotating, or watermarking a signed PDF always invalidates the signature.
Watermarks as Security
Watermarks serve a deterrent function, not a security function:
- Visible watermarks — text like "CONFIDENTIAL" or "DRAFT" across the page. These discourage casual sharing and help identify leaked documents, but can be removed by anyone with a PDF editor.
- Dynamic watermarks — include the recipient's name or email in the watermark, so leaked copies can be traced back. More effective for accountability than prevention.
- Invisible watermarks — hidden data in the document structure for forensic tracking. Sophisticated but not standardized in PDF.
Security Best Practices
- ✅ Use user passwords + AES-256 for confidential documents
- ✅ Use proper redaction tools — not black rectangles or highlights
- ✅ Verify redaction by opening the redacted PDF in a text editor and searching for removed content
- ✅ Apply digital signatures after all other edits (merge, rotate, watermark) are complete
- ✅ Use strong passwords — at least 12 characters with mixed case, numbers, and symbols
- ❌ Don't rely on owner passwords for actual security
- ❌ Don't use 40-bit or 128-bit RC4 encryption
- ❌ Don't assume a watermark prevents copying
- ❌ Don't skip verification before sharing redacted documents
Summary
| Protection | Purpose | Strength |
|---|---|---|
| User password + AES-256 | Prevent unauthorized opening | Strong |
| Owner password | Discourage printing/copying | Weak (easily bypassed) |
| Proper redaction | Permanently remove sensitive content | Strong (irreversible) |
| Digital signature | Prove authenticity and integrity | Strong |
| Watermark | Deterrent and leak tracing | Weak (removable) |