PDF security isn't a single feature — it's a set of layered controls that work differently and protect against different things. A password that prevents opening is completely different from a password that prevents printing. PDF Encryption that protects a file at rest is different from the controls that restrict what a recipient can do after they open it. Understanding each layer helps you apply the right protection for the situation rather than either over-securing documents unnecessarily or leaving sensitive files more exposed than you realized.
The Two Types of PDF Passwords
Most people think of PDF password protection as a single thing. There are actually two distinct password types, controlling different aspects of document access.
Document Open Password (User Password)
This password controls who can open the file at all. Without it, the PDF is completely inaccessible — clicking on it produces a password prompt and nothing else. This is the appropriate control for documents containing genuinely sensitive information: financial records, legal documents, HR files, anything where unauthorized access to the content itself is the risk. WukongPDF's PDF Password protection at www.wukongpdf.com adds this type of password — upload, set the password, download the protected file.
Permissions Password (Owner Password)
This password doesn't prevent opening — the document opens normally. What it controls is what the recipient can do with it. The permissions password can restrict printing, copying text, editing content, adding annotations, and filling in form fields. Recipients see the document but can't extract or modify its content without the permissions password. This is useful for proposals you don't want clients to copy from, reports you're distributing while maintaining control over the content, or templates you want filled in but not structurally changed.
Encryption: What the Numbers Actually Mean
PDF encryption has evolved through several standards, and older PDFs may use weaker encryption that doesn't provide meaningful PDF Security today.
40-bit RC4 (PDF 1.1–1.3)
The earliest PDF encryption standard. 40-bit RC4 is considered broken by modern standards — it can be defeated by readily available tools in seconds. If you receive an older PDF protected with this standard, it provides essentially no security. If you're protecting a document, never use this standard.
128-bit RC4 (PDF 1.4–1.5)
Stronger than 40-bit but still using the RC4 algorithm, which has known vulnerabilities. Better than nothing, but not the standard to use for sensitive documents in 2024.
128-bit AES (PDF 1.6–1.7)
AES (Advanced Encryption Standard) is a significant step up from RC4. 128-bit AES is solid protection for most business purposes and is the minimum standard worth using for sensitive documents.
256-bit AES (PDF 1.7 ext. 3 / PDF 2.0)
The current standard. 256-bit AES is used by governments and financial institutions for classified and sensitive data. For PDF protection, this is the appropriate choice for anything requiring serious security. Most modern PDF tools default to this when you add password protection.
What Permissions Actually Control
PDF permissions are more granular than most people realize. When setting a permissions password, you can typically control:
- Printing: allow none, allow low-resolution only, or allow high-resolution printing
- Content copying: prevent selecting and copying text from the document
- Editing: prevent changes to document content, or restrict to specific types of changes like form filling or annotation
- Accessibility: some tools allow screen readers to access text even when copying is restricted, preserving accessibility while limiting extraction
Important caveat: permissions restrictions are enforced by PDF viewers that respect them — mainly Adobe Acrobat and Adobe Reader. Other viewers may ignore permissions entirely, and determined users can work around them using tools that don't honor the restrictions. Permissions deter casual misuse; they don't prevent determined circumvention. For absolute content protection, the document open password combined with strong encryption is the more reliable control.
Matching Security Level to the Document
- Public document, no sensitive content: no password needed
- Content you want to protect from copying or editing: permissions password with appropriate restrictions
- Sensitive content going to specific recipients: document open password with 256-bit AES encryption, password shared via separate channel
- Highly sensitive content with compliance requirements: document open password, permissions restrictions, and a certified digital signature that alerts recipients if the document is modified