Improving pdf security

Report · Apr 12, 2021

I need decent security for documents I send over the web as they contain sensitive and personal personal information. I moved to and pay for Adobe Acrobat some months ago from the third-party pdf generator I was using in order to assure myself (as I have to demonstrate to my regulatory body that I have taken adequate steps to offer proper document security) that I had best-in-industry standard encryption. I carefully ensure that my passwords come up as 'strong' on the checker as I enter them.

I sent an encrypted document to a client today, who first complained that the password didn't work, and then seconds later, told me not to bother resending it as he had cracked it with an online tool <URL Removed by MOD.>. At a stroke, this has destroyed my illusion that Adobe incorporates proper pdf security, thus rendering it no better than my free third party generator. I can't see a way to raise this with Adobe (which I'm also pretty unimpressed about), and this forum seems to be the only way I can raise it in the hope someone from Adobe can explain themselves. I'd be grateful for any comments.

I'd appreciate any comments.

Report · Apr 12, 2021

These communities are absolutely not a means of communicating with either Adobe Customer Support or Adobe product development.

You didn't say exactly what type of security parameters you provided when you password-protected the PDF file. You stated that you chose a “strong” password, but that isn't the only consideration.

For strongest security, you must use the Acrobat X and later setting that provides 256-bit AES security encryption; that is the highest level of security supported by

To be very clear, the password itself is not stored within the PDF file. You pointed to an on-line service that removes password protection. The only way it accomplishes that is via brute force attacks. This is no different than any other protection offered by the 256-bit AES security encryption and is the highest level supported by the PDF specification.

Unless you use certificate security (you can apply this if you know what you are doing and have the certificate resources) or third party solutions (which require more than just sharing a password), this is all you achieve with any PDF creation or editing tool based on the underlying PDF specification.

- Dov Isaacs, former Adobe Principal Scientist (April 30, 1990 - May 30, 2021)

Report · Apr 13, 2021

This is terrific, and wasn't at all obvious when I was setting up Acrobat to encrypt documents. As I said, I was completely unsuccessful at finding any means of asking Adobe either, and asked here more in hope than anticipation. Thank you. A bit of feedback to Adobe is that this could be made more obvious during set-up - I really don't think there is much call for easily-cracked document security.

Report · Apr 15, 2021

A final note on this from me; I implemented the suggestions made and can confirm that a properly encoded document cannot be cracked readily by the website I shall not name again. Thnak you all.

Two suggestions. Firstly, Acrobat should be set up to implement this from the get-go, and secondly, while those reading this forum have been immensely helpful and responsive, I still can't see how to access assistance from Adobe themselves, which in my view as a paying customer is not an unreasonable thing to expect. I know most major corporations like to hide away from their users as much as possible, making them go to FAQs first, but even after exhausting those (which could have been more helpful, too) I think it is reasonable to epxct to be able to access support.

Report · Apr 15, 2021

You can contact Adobe directly for help using these links:
General help page: https://helpx.adobe.com/contact.html

Via Chat: https://helpx.adobe.com/contact.html?rghtup=autoOpen
Via Phone: https://helpx.adobe.com/contact/phone.html

Report · Apr 13, 2021

When you apply a security policy there's a clear notification that warns you that some PDF viewers do not enforce it. Most people just dismiss it without a second thought, but it's there for a reason. The File Edit password is indeed very easy to get around. The File Open password less so, but still not impossible...

Report · Apr 13, 2021

Thank you. If you think about it, that's not really a good enough baseline solution in today's world. You'll see I have responded more fully to other correspondents, but I shall be testing Dov Isaacs' suggestions to assess their security. It may well be that Adobe simply hasn't implemented good enough security for my purposes, in which case I will regretfully have to close my subscription and look elsewhere, but I hope that won't be the case, as I have otherwise found the software impressive, mature in its functionality and stability, and, importantly, useful.

Report · Apr 14, 2021

"If you think about it, that's not really a good enough baseline solution in today's world."

Let's talk about the world of PDF, though. PDF is a public standard (now controlled by international standards bodies). It sets out the way PDF security works, but the info is public. This means anyone can write a PDF app.

- A password protected file with a password needed to open does need the password to decode it. Brute force attacks may find it, especially if it is a short word with only letters.

- A file with security set and no password needed to open it has some rules listed in the PDF standard, but the rules are widely ignored.

It is basically impossible to have a security WITHOUT A PASSWORD that relies on apps following the rules.

Now, you can have much higher security if you use secret info that locks a PDF to just one app. Adobe do have such a thing, but it is part of a big ticket enteprise package. Also, people don't like being tied to Adobe apps to read their PDFs - they can't be read in web browser, emails, on phones or tablets... such things are called "DRM" and there are other suppliers too.

Report · Apr 13, 2021

Hi,

And I think the key piece is "adequate steps to offer proper document security". What does you regulatory body consider that to be? And as Dov mentions there are other things that can be done with some extra steps that would secure the document more.

Report · Apr 13, 2021

Thank you; you'll see I found Dov Isaacs solution immensely helpful. Of course passwording a document should not be thought of as uncrackable; what one person can do another person can undo given enough time and resources. I try to select encryption that requires sufficient amounts of both that all but the most dedicated won't bother. A simple online crack was an unpleasant surprise. The actual wording is, "You must keep records that contain personal information about patients, colleagues or others securely, and in line with any data protection requirements." I do keep them securely on my servers, but clearly the data protection requirements in my country must also be adhered to, and they state that I must "keep electronic data secure, say by encrypting mobile devices, using passwords and backing up data". I do all these as well, but to me that is only the letter of the law; encryption must be good enough to resist casual attack. I shall be reaerching this further, but will come back here if implementing Dov's suggestion doesn't improve things to my satisfaction.

Report · Apr 14, 2021

I interpret ""You must keep records that contain personal information about patients, colleagues or others securely, and in line with any data protection requirements."" as meaning not that the files must be password protected, but that all access to them must be controlled. They must not be emailed, sent by insecure web protocols etc. Such things should not be "send to a client" but shared in the framework of a secure closed infrastructure, auditable at all points. This is certainly the basic starting point for European and UK data protection law, and their are unlimited legal penalties for companies who do not ensure safety of personal data. Setting passwords is like locking your front door when you have no windows or indeed walls.

Report · Apr 14, 2021

Indeed; no argument from me, and I have used Adobe's own system which I hope and from my limited reading appears to provide all that, although I do have some slight residual concern about server location. As may be clear, I am not an IT expert but a user keen and intent on doing things to an adequate standard.

Report · Apr 13, 2021

Los archivos pdf no son lo suficientemente seguros con cualquier contraseña pues hay media docena de aplicaciones que le quitan las restricciones, excepto si lo firmas digitalmente. Esto lo protege mucho mas, pero igual se pueden modificar.

Si lo que deseas es proteccion de envio/recepcion, usa Encrypo en Mac que es un encriptador que funciona muy bien. Supongo que tambien funciona en Windows.

Saludos.

Report · Apr 13, 2021

Pdf files are not secure enough with any password as there are half a dozen applications that remove restrictions, except if you sign it digitally. This protects it much more, but they can still be modified.

If you want send/receive protection, use Encrypo on Mac which is a very well-functioning encryption. I guess it works on Windows, too.

Best regards.

The Encrypo program you mention is the exact same 256-bit AES security encryption protection offered by Acrobat and is no more secure than using that built-in feature of Acrobat and PDF except that it applies the encryption to the file as a whole, not the contents by itself. If you can crack open the inside of a PDF file protected with this encryption, you can crack the file itself protected by Encrypo!

- Dov Isaacs, former Adobe Principal Scientist (April 30, 1990 - May 30, 2021)

Report · Apr 14, 2021

Dov, buen dia:

No concuerdo con tu opinion.

Los archivos pdf encriptados con el algoritmo que mencionas se desprotegen muy sencillamente mientras que los .encrypto es altamente improbable que se logre desproteger. Asi de sencillo, te guste o no.

Mi opinion es: si no quiere que se manipule su archivo pdf, firmelo digitalmente seleccionando la opcion de no permitir ningun cambio (el certificado digital puede estar en su computadora o en el servidor de Adobe).

Si lo que desea en enviarlo en forma remota sin que puedan facilmente acceder al contenido, simplemente encríptelo.

Daniel

Adobe Community

Improving pdf security

1 Correct answer