Skip to content
BabaPDF
Learn

What a PDF password actually protects

6 min readArticle

There are two passwords, and the one that restricts printing and copying is a polite request your viewer is free to ignore.

Someone sends you a PDF that will not let you copy its text, and it opens without asking for anything at all. Someone else sends one that demands a password before it will show you a single page. Both get described as password-protected. Only one of them is protecting anything, and the difference is not a matter of degree — what a PDF password actually protects depends entirely on which of the format's two passwords you are looking at.

A PDF has two passwords, not one

The PDF format defines two separate passwords for a single file. The user password is the one that gets you in: without it the document's contents stay encrypted, and no viewer can show you anything. The owner password is a different animal — it nominally governs what you are allowed to do once the document is already open. Printing, copying text, editing, filling in forms, rearranging pages. Most people have only ever met the first kind, and reasonably assume that is the whole story.

The two are set independently, and that is where the trouble begins. A file can carry an owner password and no user password whatsoever. Such a file opens instantly, for anyone, and shows every page — while announcing that certain actions are off-limits. That is the file you could not copy the text out of.

A single large dark key with a bright dot at its bow and cut teeth along its blade
The user password and the owner password are not two strengths of the same thing. One is a key. The other is a note asking politely.

Permissions are a request, not a lock

Permission restrictions in a PDF are a single integer stored in the file, which viewers are asked to honour. That is the entire mechanism, start to finish. When a document says you may not copy its text, the text is sitting in the file in the clear; the file carries a number whose bits mean "no copying", and your viewer reads that number and greys out the menu item as a courtesy to whoever set it.

A tool that does not consult those bits simply does not consult them. There is nothing to pick and nothing to break, because when the user password is empty the content was never sealed — it decrypts for anyone who asks. Honouring permission flags is a convention among well-behaved viewers, and a well-behaved viewer is not a security boundary. It is an etiquette.

A dark card with a row of small bright switches along one edge and a hand reaching across it
The flags are switches a viewer is asked to read. Walking past them without looking breaks nothing, because there was nothing there to break.

The empty password is the whole illusion

A permission-restricted PDF has an empty user password — the zero-length string, literally nothing. That is precisely why it opens without prompting you, and it is also why any library can decrypt it while knowing nothing. BabaPDF's loader is a few lines of exactly this: when it meets an encrypted file, it tries loading it a second time with the password set to the empty string. If that works, the document was never protected from you, and every tool on the site carries on as normal. If it fails, there is a real user password, and you get told to unlock the file first.

I ran the experiment rather than reasoning about it. I built a PDF with copying denied and editing denied, sealed with an owner password I chose myself, and passed it through merge without supplying any password at all. The merge succeeded. Reading the output back, it has no encryption dictionary — none. The restriction is not weakened in the result; it is absent. Nobody typed a password, because there was never a password to type.

That is not a flaw in this particular site. It is what every PDF tool on earth does with such a file, including the ones that charge you for it. If you have ever received a document you could not copy from and wondered whether some tool could get around it, the answer is that almost any tool gets around it — by accident, by not looking. Same shape of mistake as believing a crop removes what it hides.

What this site's own protect tool refuses to offer

Protect PDF sets the user password and the owner password to the same value. One password in the box, both slots filled with it. That is a deliberate refusal: there is no "anyone may open this, but only I may edit it" tier here, because that tier was never real to begin with. You get one password, and whoever holds it holds the document entirely. Setting one up is covered separately; what matters here is what it does and does not buy you.

The file it writes still carries a permissions integer, because the format expects to find one there. The value is -1340, if you go looking in the encryption dictionary. Decode the bits and it denies copying, editing, annotating, form filling and page assembly, and it allows exactly two things: extraction for accessibility tools, and printing at high resolution.

Which deserves saying plainly rather than burying. Copying text is denied and printing at full resolution is allowed. If your worry is that a reader will lift your words out of the document, note that they are welcome to print it at the best quality the format offers — and a high-resolution print is a comfortable starting point for getting the text back out. Those flags are set because a viewer expects to find them. They are not holding a line.

A heavy dark vault door with a bright padlock on its face
A permission-restricted PDF opens for anybody who asks. The lock hanging on it was never closed.

What a user password genuinely gives you

A user password buys real encryption, and it is the one thing in this area worth relying on. With it set, the document's streams are ciphertext — the words are not sitting in the file waiting for a polite viewer to hide them, they are not in the file in readable form at all. Someone without the password does not get a degraded view of your document. They get nothing. If you have the password and want it taken off again, that is its own job, and it needs the password.

Its limits are the ordinary limits of any shared secret. Everyone who needs to read the file needs the password, so the password travels — usually in the email immediately beneath the attachment, which undoes the entire exercise. And once a person has opened the document, they have the document. There is no mechanism in the format that lets someone read a page without being able to keep it. Encryption controls who gets in. It has nothing whatsoever to say about what they do once they are inside, and no quantity of permission flags changes that.

A bright sheet on a rail beside a pair of open scissors and a solid dark block
Copying denied, printing at high resolution allowed. The words leave the building either way.

How to think about it

  • A user password encrypts the file. Without it there is no readable document at all — that protection is real, and it is the only real one here.
  • An owner password sets flags. Flags are honoured by viewers that choose to honour them, and ignored for free by everything that does not.
  • A PDF that opens without prompting you is not protected, whatever its menus have greyed out.
  • There is no read-but-do-not-keep tier in the PDF format. If someone can open it, they can keep it.
  • If a document genuinely must not be read by the wrong person, give it a user password and send that password by another route entirely. Everything else is decoration.
Keep reading