Password-protecting a PDF encrypts the file so it can't be read without the correct password. The standard is AES-256 — the same encryption used in banking and government systems. A PDF encrypted with AES-256 and a strong password is not practically crackable. Drop your file into the protect PDF tool, set a password, and download an encrypted copy that never left your browser. That's the mechanic. The harder question is what the protection actually gives you — and where it stops.
AES-256 vs. Older PDF Encryption Standards
Not all PDF password protection is equivalent. The PDF format has gone through several encryption standards over the years, and what you get depends entirely on which version your tool applies.
- 40-bit RC4 (PDF 1.1–1.3): Crackable in minutes with freely available tools. If you're using software that produces PDF 1.3 output, stop. The protection is cosmetic.
- 128-bit RC4 (PDF 1.4–1.5): Weak by modern standards. Brute-force attacks are feasible with modern hardware, especially against short passwords.
- 128-bit AES (PDF 1.6): Acceptable, but superseded. Still used by some older enterprise tools. Better than RC4, but not what you want for sensitive documents today.
- 256-bit AES (PDF 1.7 ext3, PDF 2.0): The current standard. Computationally infeasible to brute-force with a strong password. This is what you should be using.
If you're using an older desktop PDF tool — particularly anything from the early 2000s still running in your organisation — check which encryption standard it actually applies. The UI may say "password protected" without specifying the algorithm. For reference, ConvertYard's protect PDF tool uses AES-256.
The encryption standard is only half the equation. The other half is your password.
Common Mistakes
Most failures in PDF password protection aren't cryptographic weaknesses — they're operational mistakes.
Sending the password in the same message as the file. This is the most common mistake, and it renders the encryption almost worthless. If an attacker intercepts that email thread, they have both the file and the key. The whole point of encryption is that the ciphertext (the file) and the key (the password) travel through different channels with different breach surfaces. Send the password through a different channel: a phone call, a text message, or an email account that doesn't share the same login credentials or provider.
If you email the file from Gmail and then email the password from Gmail, you have one attack surface. If you email the file and call the recipient with the password, you have two.
Using a weak password. "pdf123", "welcome", your company name, the recipient's name — these fall in seconds to a dictionary attack. AES-256 is only as strong as the key protecting it. Use a randomly generated password of at least 16 characters mixing uppercase, lowercase, digits, and symbols. A password manager can generate and store this. Yes, this is less convenient than typing "Q3Budget". The inconvenience is the point.
Assuming the recipient can't forward the unencrypted content. Once the authorised recipient opens the PDF, they can take a screenshot, print to PDF, or copy-paste the text — producing an unencrypted copy. Unless you've set explicit permissions restrictions (which prevent printing and copying) in addition to the open password, your document can be trivially stripped of its encryption by anyone who has the password. The open password controls access. It does not control what an authorised user does with what they see.
These three mistakes account for the vast majority of "encrypted PDF" security failures. The encryption itself is almost never the problem.
What Password Protection Doesn't Stop
Being clear-eyed about the limits of PDF passwords saves you from a false sense of security.
- Authorised users forwarding content. Anyone who can open the file can screenshot it or print it to a new PDF without the password. The encryption protects against unauthorised access, not against authorised sharing.
- Metadata exposure. Password-protecting a PDF encrypts its contents, but metadata — author name, creation date, software version, sometimes the original filename — may remain accessible without the password. This depends on how the PDF was created and which metadata fields were populated. If a document's metadata alone reveals something sensitive, encryption of the body isn't sufficient.
- Weak passwords. AES-256 with "password123" is not secure. The algorithm is strong. The password is the variable.
- Physical access. If someone can see your screen while the file is open, encryption doesn't help. Password protection secures the file at rest and in transit. It doesn't secure the information once it's rendered and visible.
- Social engineering. If an attacker can convince the authorised recipient to forward the document, no encryption helps.
These aren't criticisms of PDF encryption. They're accurate descriptions of what it is: a tool that controls access to a file. Not a tool that controls what happens after access is granted.
When Encryption Isn't Enough
For genuinely sensitive documents — medical records, legal privileged material, financial data, anything that could cause real harm if intercepted — password-protecting the PDF is a floor, not a ceiling.
Out-of-band password sharing. Never share the password through the same channel as the file. Phone calls, in-person handoff, or a separate messaging platform are all better than the same email thread. The more separate the channels, the more breach surfaces an attacker needs to compromise simultaneously.
Encrypted email. Sending an encrypted attachment over an unencrypted email connection has a weak point: the email metadata (sender, recipient, subject line, timestamp) travels in plaintext even if the attachment is encrypted. S/MIME and PGP encrypted email encrypt the message body and attachments together, and some implementations also protect metadata. For high-sensitivity communications, encrypted email is a stronger solution than encrypted attachment over standard email.
Asking whether the document should be sent at all. Sometimes the right answer is "this shouldn't go by email." Ask whether the recipient needs the document itself or just the information it contains. A phone call conveying the relevant facts, or a brief summary with the sensitive details removed, may serve the purpose without the risk of the document existing in the recipient's inbox indefinitely.
Password protection is a meaningful security improvement over sending a plaintext PDF. Compared to nothing, it's a significant step. But it's not a substitute for judgment about what information should travel where, with what level of protection, and through what channels.
Unlocking a PDF You Own
If you've set a password on a file and later need to remove it — or if you've inherited an encrypted PDF and have the original password — use the unlock PDF tool. Drop the encrypted file, enter the password you set, and download an unencrypted version. This runs entirely in your browser; the file doesn't get uploaded anywhere.
This requires knowing the original password. The unlock tool decrypts files using a password you provide — it doesn't crack encrypted PDFs. If you've lost the password to an AES-256 encrypted file, the encryption is doing its job.