22

It appears that Word's password protection is not really good, at least until Office 2003, if I read this SU entry correctly. I'm under the impression that Acrobat's PDF password protection should be better (it says 128-bit AES for Acrobat 7 and higher). Is that true?

Of course, it depends on the strength of the password used, but assuming I protect my PDF with a password like sd8Jf+*e8fh§$fd8sHä, am I on the safe side?

Like, say, for sending confidential patient information - not really valuable, but potentially highly sensitive.

Community
  • 1
Tim Pietzcker
  • 2,730

7 Answers7

13

From the Adobe site - Securing documents with passwords:

The Acrobat 3 And Later option uses a low encryption level (40‑bit RC4), while the other options use a high encryption level (128‑bit RC4 or AES). Acrobat 6.0 And Later lets you enable metadata for searching. Acrobat 9.0 And Later encrypts the document using the AES encryption algorithm with a 256-bit key size.

So apparently 7 will use 128-bit AES. I'd say you're very safe, especially with a password like that. The National Institute of Standards and Technology agrees:

Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key.

3

Of course, it depends on the strength of the password used, but assuming I protect my PDF with a password like sd8Jf+*e8fh§$fd8sHä, am I on the safe side?

With such a password your documents will be pretty much well protected. Especially under Acrobat 7 and 8.

Under Acrobat 9, Adobe made changes to the underlying algorithm. And while they upgraded the encryption to 256-bit AES, the algorithm allows for brute force and dictionary attacks to waste less processor cycles on each password interaction. You can read about it in Adobe's blog.

Necessarily, that type of password will be a strong one under Acrobat 9 and will render any brute-force or dictionary attack (pretty much the only means of breaking a pdf protected document) very inefficient methods. And while it needs to be said these tools will perform faster under Acrobat 9, it would still be years before a common user machine could eventually break your password.

One last comment, the size of your password will be the most determining factor in protection, as well as the unique count of characters. So, you can expect to provide a password such as mypaSwURD_frOM2009onMunTH#16, which is easier to memorize (includes purposed typos) and still obtain the same high security level.

A Dwarf
  • 19,329
0

Latest crackers can, on machines with the right video cards, use the GPU itself to crack passwords with a brute-force attack at a speed comparable to a super-computer.

If the password wasn't long enough, it will be cracked in a matter of minutes and up to several days.

Conclusion: Only if you use the latest Acrobat version and employ very longggg passwords and no dictionary words, will you be safe enough.

But then, all this will be a wasted effort if your password leaked to the web ...

harrymc
  • 498,455
0

I seem to remember that one could:

  • Obtain a free/open source PDF printer (i.e. you print to it from your application and it produces a PDF file)
  • Open the protected PDF in Acrobat Reader
  • Print the PDF to the PDF printer, thus ending up with a new PDF file with no protection.

Worth investigating.

Alan B
  • 337
-1

The simple test is to send a pdf file encrypted as V9.0 acrobat with a password similar to sd8Jf+*e8fh§$fd8sHa, and ask anyone to decrypt it. If after say 10 days no-one has replied with the contents on view then you know your data is safe. However, remember two problems with passwords. 1. Your recipient will have to know what it is - and may leak it as in the next item. 2. It's amazing how powerful key-loggers are. These read your passwords as you type them and potentially send them anywhere without you knowing. Your keyboard 'buffer' is your enemy in this respect. Even PGP suffers the same vulnerability. What's the answer? Place you data-files on a server - where you can only gain access via a two part process. E.g. see how PayPal now optionally allows access only via a new security code sent to your mobile. A PC key-logger would find this difficult to defeat unless your mobile is already infected by a key-logger!

qw211
  • 7
-1

I wouldn't trust either one, frankly. Password protections built into pdf, word processing, spreadsheets, archiving software...They're nearly all hobby-ist systems, put in place to stop people who are honest, not people who are determined. Doesn't matter how securely the password is stored if there are work-arounds (Acrobat is way better than Word, however).

I'd recommend looking into GPG or PGP for actual encryption (they're basically the same program, but PGP is polished, commercial, and expensive, and gpg is open source, little rough around the edges (as far as user friendliness goes), and free-as-in-beer.) You can integrate them with email, you can save whatever document format is convenient, and you can be sure that, as long as your key exchange procedures are solid, no one is going to be reading your mail.

From a more practical...shall we say legal...point of view, going to full encryption is going to do a lot to show that you're taken due dilligence with sensitive data.

Satanicpuppy
  • 7,205
-2

This should be a comment to satanicpuppy, but the comments are limited to 600 characters. :-(

I support this (satanicpuppys) as being the most sensible answer.

You are looking at the strength of the password as a measure of how secure something is. In this case, you are - as an example - talking about patient data. So the security you are looking for is meant to secure the content not the algorithm or functionality (printing, saving, copy/paste).

While I agree that it might be superdifficult to print a document that is protected that way, PDF has been - and still is - dead easy to decrypt. That way the content can be descrambled and written into another file, with no restrictions whatsoever.

I am by no means a hacker, but the two Python scripts needed for that were so easy to use, even I managed to "free" my Adobe DRM-Protected ebook I just downloaded yesterday... No kidding.

And of course, you'd have a look to Elcomsoft, because there you can find any crack for virtually anything. PDF and Word at the top of the list.

martineau
  • 4,573
Wolf
  • 2,593