Resource Center

Do Passwords Really Protect Your PDFs?

PDFs, or Portable Document Formats, are a popular way to share important business documents. It’s easy to configure PDFs into a read-only format to send data that shouldn’t be altered upon receipt. They transfer across different applications and platforms without changing layout. And they can compress large documents, communicating a lot in a small space.

If you use PDFs in regulated industries, you may also be familiar with their passwordprotection features. You can use passwords on PDFs to prevent recipients from printing or editing the document or even from opening it at all. Many organizations, particularly those in regulated industries, use password protection as their primary security method when transferring sensitive information, including financial and health information, via PDF.

But password protection doesn’t live up to its name, and this form of data protection has a few issues. Nothing insures the security of the password itself — in fact, many programs online advertise abilities to crack PDF passwords for you. You can’t track how many people know the password. And you can’t know who has opened it or when or whether anyone has edited its contents. Once a PDF is sent out into the world, its lifecycle becomes a black box.

Password Vulnerability

In a professional setting, most communication occurs by email — including the communication of passwords. A password is only as strong as the sender’s and recipient’s network security. You most likely don’t encrypt your email during transfer unless you use an encrypted email service; if a network’s antimalware and antivirus protection aren’t properly updated or its security patches are out of date, the password is just as vulnerable as every other message sent through that network.

Then there’s the problem of multiple recipients. PDF passwords attach to documents, not end users. Consequently, they must be given to each recipient of a document — and recipients tend to multiply. As an accountant, say you need to send a PDF containing tax information to a client. Your client may send the file to an investment advisor or a tax attorney, or even simply to a family member. It might make a stop in an administrative assistant’s inbox along the way. At each point in that chain, the password becomes increasingly available, and the document becomes more vulnerable.

Unauthorized Access

You can’t log a PDF document’s progress down the chain of its recipients. Unlike filesharing services or various other means of document transfer, PDFs don’t keep file access records. Neither you nor your recipients know how many people have read it. One person? 25? There’s no way to tell. Financial data in particular, which is subject to such crimes as identity theft, is vulnerable in the case of unrecorded end users.

And you can’t change a PDF’s password, alter the file or delete it remotely in the case of unauthorized access. The information in a PDF is permanently available to anyone who can open the document. Confidential data just shouldn’t be exposed in this way.

Poor Encryption

Password-protecting documents means encrypting them. Encryption scrambles data so that your recipients can’t read it until they enter a decryption key — in this case, a password. So the strength of a PDF’s password is the strength of its encryption.

Leading PDF providers have changed built-in encryption algorithms over the years. Today, a PDF most likely uses 256-bit AES encryption, which is industry-standard security and difficult to crack. But many PDF viewers can’t read documents created with newer generations of software. Consequently, people tend to resort to older formats that don’t use these advanced methods. Their encryption is far easier to break, leaving documents vulnerable to “cracking.”

Cracking an encrypted document means using software that guesses the password. This software is available online, often cheap or free, and completely legal. Some software can only crack passwords that protect a document from being edited, printed or altered in some other way. Stronger cracking software exists to gain full access to the document.

A PDF’s vulnerability to cracking software depends on the strength of its encryption and the strength of the password you’ve chosen. A strong password is a long string of randomized numbers, letters or symbols that is not a real word. Most people don’t realize the importance of creating a strong password — instead, they use passwords they can remember easily, usually numbers or words. These kinds of passwords are much easier for cracking software to guess.

The Need for Better Protection

In the modern world, millions of people have digitized huge amounts of confidential and sensitive data. And as accountants more and more into the digital age, you need to protect this data for ethical and sometimes legal reasons. Exposure of financial records can be deeply damaging to individuals affected, and often such exposure is a breach of industry and government regulations; the organizations responsible for it can incur financial or legal punishments.

Protection methods that don’t properly secure passwords, track document access or encrypt data are simply not sufficient when sharing documents. Although passwordprotected PDFs are easy to use and highly functional, you simply shouldn’t entrust sensitive data to them.

A Better Way to Work

Citrix ShareFile provides easy-to-use file sharing and access that’s as secure as it is simple. It’s your all-in-one solution that offers a central place to store, back up, sync, send and receive large and confidential data as well as collaborate while complying with industry standards to let you work more efficiently.

And to save you even more time, Citrix ShareFile comes with built-in IRS-accepted e-signature, so you can stop chasing clients to get forms, including those 8879s, signed and finalized — with ShareFile, you and your clients can do it all in seconds. It’s security for your clients and simplicity for you. See how ShareFile can change the way you work and help you get past passwordprotected PDFs at