PDF Security
How to Password-Protect a PDF
April 2026 · 5 min read
Two types of PDF passwords
PDF supports two distinct passwords. The user password (also called the open password) is required to open and view the document. Anyone who does not know it sees a password prompt and cannot read the file. This is the password most people mean when they say they want to protect a PDF.
The owner password controls permissions without restricting opening. A document with only an owner password can be opened by anyone, but printing, copying, or editing may be restricted. The owner password is required to change those restrictions.
You can set both passwords on the same document. A common use case is setting a user password for clients and an owner password for yourself, so you can update the document later without sharing the owner credentials.
What PDF encryption actually does
When you set a user password, the PDF content is encrypted using AES-256 (in modern PDFs). The password is used to derive the decryption key. Without the password, the ciphertext in the file is unreadable - not just hidden but mathematically scrambled.
The strength of this protection depends on the password strength. AES-256 encryption is extremely strong by itself. The weak link is almost always the password. A short, common, or guessable password can be brute-forced in minutes. A long, random password makes brute-force infeasible.
PDF encryption does not protect against someone who already has the password sharing it with others. It is access control, not DRM. If you send a password-protected PDF to a client and they share the password, the protection is gone. Encryption limits unauthorized access, not intentional sharing.
How to protect a PDF with PDFsuite
Open /tools/protect and upload your PDF. Enter the password you want to use. PDFsuite shows a strength indicator - use a password of at least 12 characters mixing letters, numbers, and symbols for meaningful security.
Optionally, set permission restrictions: whether recipients can print the document, copy text, or make annotations. These restrictions are enforced by compliant PDF viewers and are controlled by the owner password.
Click Protect. The tool encrypts the file in your browser and downloads the protected PDF. The original unprotected file is not modified. Test the protected file before sending it: open it in a PDF viewer and confirm the password prompt appears and works correctly.
Choosing a strong password
Length matters more than complexity. A 16-character random passphrase is stronger than an 8-character password with symbols. A phrase like "correct-horse-battery-staple" is memorable and strong. A password like "P@ssw0rd" is weak despite appearing complex.
Avoid passwords tied to the document content, the recipient, or easily discoverable personal information. "ClientNameContract2026" is guessable by anyone who knows the context. A random generator produces better passwords.
Transmit the password through a different channel than the PDF itself. If you email the PDF, send the password by text message or share it verbally. Someone who intercepts the email gets the encrypted PDF but not the key to open it.
Privacy note - encryption in the browser
PDFsuite encrypts your PDF entirely within your browser. The unencrypted file is never transmitted to a server. This matters because upload-based protection tools receive your plaintext document before encrypting it - meaning the tool operator has access to your file in its unprotected form.
With client-side encryption, the operator only ever sees ciphertext if they were to intercept the download - which they cannot, because the download goes directly from browser memory to your machine.
This is the architecturally correct way to encrypt a document you are trying to keep private. The alternative - uploading an unprotected file to a server that encrypts it and sends it back - means the server saw the document in plaintext. The encryption in that case protects future recipients from each other, but not from the service itself.
Try it yourself
Process your PDFs in the browser.
All 28 tools. Files never leave your device. $29/year.