I’ve gotten several password-protected scripts recently, and I’ve wondered whether it’s any more than security theater.
So I asked on Twitter:
Serious question: Are password-protected PDFs actually secure, or is it like a cheap cable lock for your bike?
— John August (@johnaugust) April 29, 2014
To clarify, I'm talking about password-to-open, not password-to-print for PDFs. I assume anything that can be seen can be copied.
— John August (@johnaugust) April 29, 2014
Several people replied that the most recent update to Adobe Acrobat was pretty solid.
Looking around on the web, I’ve seen a similar range of opinions on how effective various encryption engines really are. But that’s with any theoretical document protected by any theoretical engine.
I’m curious how easy it is to crack the encryption on one simple document using a pretty standard engine. So I made two files, one “easy” and one “tough.”
Update! The easy PDF was cracked in less than a minute using a brute-force command-line tool for Windows. It was a four-digit number: 1806
Here’s the easy file: encryption_test
Here’s the tough file: harder_encryption
Some tips:
- Each of these is just one page of plain text.
- Each has instructions for where and what to email if you manage to get the PDF unlocked.
- I don’t know the passwords. Both were generated randomly. So there’s no point trying to guess. (It’s not “umbrage.”)
- The easy file has a shorter password.
Mostly, I’m curious whether there are any practical ways to get past these kinds of locks. I’ve avoided locked PDFs under the assumption that they’re useless, but maybe I’m wrong.
So if you’re able to open either document, I’d love to know how you did it.