Yesterday, I [asked](http://johnaugust.com/2014/try-to-open-this-pdf) readers whether PDF encryption was actually effective, and offered up two sample PDFs as a test.
Two readers quickly cracked the easier of the files:
> The first file only took about 30 seconds. Right now the second one is running and it’s hit 5 digits so far running at an average rate of 1,005,000 words/second. I’m on an i7 CPU, similar to what you could buy in a nice Macbook Pro laptop.
The vulnerability is the password. The password for the first PDF was a four-digit number. The password for the second PDF was a random 32-character string, which made brute force much less effective.
> I ran multiple instances of the same app starting at different password lengths (6, 8, 10, 11, 12) so was getting upwards of 5M words/second. I let it run for 12+ hours or so but the possible combinations are staggering.
How staggering? Well, if you use a mix of upper and lower case letters and numbers, you get total of 62 possible characters:
0123456789AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz
Then, depending on your password length, math makes it awesome.
| Length | Combinations | Laptop | Dedicated | Distributed |
|---|---|---|---|---|
| 2 | 3,844 | Instant | Instant | Instant |
| 3 | 238,328 | Instant | Instant | Instant |
| 4 | 15 Million | < 2 Secs | Instant | Instant |
| 5 | 916 Million | 1½ Mins | 9 Secs | Instant |
| 6 | 57 Billion | 1½ Hours | 9½ Mins | 56 Secs |
| 7 | 3.5 Trillion | 4 Days | 10 Hours | 58 Mins |
| 8 | 218 Trillion | 253 Days | 25¼ Days | 60½ Hours |
I’ve adapted this chart from [these numbers](http://www.lockdown.co.uk/?pg=combi) courtesy Ivan Lucas, which date back to 2009. I’ve arbitrarily labeled the three columns as “laptop,” “dedicated” and “distributed” to illustrate what kind of system might be used in 2014 to achieve these results. The point is that each additional character in the password really does make it much more difficult to solve.
In fact, even at the fastest rate on this chart, solving the 32-character combination on the second PDF would take longer than the age of the universe. ((I’m almost sure I’ve done my math wrong, but I love a provocative statement.))
One of the people who cracked the first PDF actually works in IT security. He warns against getting smug:
> There are far more advance methods that utilize GPU hardware and elegantly-crafted combinations of known hash values, dictionary attacks, and brute force to get results much faster.
> Hackers have refined their tools using a pool of hundreds of millions of real-world passwords stolen from servers. They don’t have to use brute force if they know that 80% of people follow certain patterns.
For PDF encryption, the consensus seems to be that the latest version of Adobe is pretty effective if you’re using the 128 or 256 bit option and have 8+ random characters. Random, as in not a word in a dictionary.
No standalone file is safe from someone with enough time and the right tools. But for something like a screenplay, encryption is quite a bit better than I expected.
Far from being useless, PDF encryption is potentially worth it. I may start using it more often.