There was a story last month that Adobe’s latest release (Acrobat 9) actually weakened the strength of the algorithm they use for passwords that protect PDF documents. If you’re using password-protected PDFs as a way to send confidential information to your customers or business partners, does this mean that you can no longer trust the protection?

There is a lot of confusion because at the same time, Adobe increased the encryption from 128-bit to 256-bit. More is better, right? All things being equal, that’s usually true. In this case though, they also changed the way the encryption works. The net result is that the password is now crackable about 100 times faster than with the older Adobe versions.

If you are using weak passwords, this change matters a lot. Passwords that used to take 3 months to crack will now be breakable in a little over a day. If you’re still using single english words for your password, your protection is weak at best. A brute-force attack (where the hacker tests every word in the dictionary against your document) will break a weak password in minutes. On the other hand, if you’re picking strong pass-phrases – whole sentences from a favorite book or song – and if your phrase includes upper case, lower case, numbers and special characters, your cracktime is probably still measured in millennia. I tend to like sentences from children’s counting books such as “On Monday, he ate thru 1 apple.” from The Very Hungry Caterpillar. Not only does it have all four character classes, but I’ve read that book far too many times – there’s no chance that I’ll ever forget that pass-phrase. Combine that phrase with the prefix trick for managing multiple passwords and your password will outlast a thousand hackers.

The one unambiguously good thing about this change is that Adobe got rid of the 32 character limit. You can now type as much as you want for your pass-phrase (up to 127 characters – and even I’ve never hit that limit). If you take advantage of that increase, the change to version 9 is a net security benefit even with the change to the algorithm. You can read more at or on Adobe’s own security blog.

Leave a Reply