A Google search just leads to numerous tools for cracking PDF passwords. Is there a maximum password length defined in the PDF specification? Does PDF-XChange support the longest possible password?
My DTP software is limited to 30 characters, but I can enter a longer password in the security tab of PDF-XChange.
What is the minimum recommended length, and how well do password cracking tools work?
Maximum PDF Password Length
Moderators: PDF-XChange Support, Daniel - PDF-XChange, Chris - PDF-XChange, Sean - PDF-XChange, Paul - PDF-XChange, Vasyl - PDF-XChange, Ivan - Tracker Software, Stefan - PDF-XChange
-
Bhikkhu Pesala
- User
- Posts: 1776
- Joined: Tue May 29, 2007 9:29 am
Maximum PDF Password Length
Windows 10 Home 64-bit • AMD Ryzen 5 3400G, 8 Gb
Review: http://www.softerviews.org/PDF-XChange.html
Review: http://www.softerviews.org/PDF-XChange.html
-
Stefan - PDF-XChange
- Site Admin
- Posts: 19930
- Joined: Mon Jan 12, 2009 8:07 am
Re: Maximum PDF Password Length
Hello Bhikkhu,
Taken from the PDF Specification:
In PDF specification up to and including 1.3 the encryption is with just 40 bits, and with the proper software it will take from a few hours to a couple of days on pretty much any home PC to crack such a password. I even saw a tool guaranteeing to recover a 40bit encrypted file withing minutes with it's premium version.
PDFs secured with 128 bit encryption ( PDF specifications 1.4 to 1.7 ) will generally be much tougher to decrypt but still not impossible to "crack".
256 Bit encryption is used in PDF 1.7 extension 3 - and even with a moderns GPU card with CUDA support and the right software one is not guaranteed to break a proper, strong, non dictionary password in reasonable time.
This applies for document protected with an "open" password. Documents which do not require a password to be opened and have a password only to enforce some restrictions can be stripped of those restrictions within seconds.
So the alternative is to use a third party security handler like FileOpen - the support for which is coming in the new Viewer
Best,
Stefan
Taken from the PDF Specification:
So the "optimal" password would be a 32 byte one, but in any case the PDF file would be encrypted using a 32 byte password string. Then the next question is for the strength of the encryption algorithm that will use the above described password.Algorithm 2: Computing an encryption key
a) Pad or truncate the password string to exactly 32 bytes. If the password string is more than 32 bytes long,
use only its first 32 bytes; if it is less than 32 bytes long, pad it by appending the required number of
additional bytes from the beginning of the following padding string:
< 28 BF 4E 5E 4E 75 8A 41 64 00 4E 56 FF FA 01 08
2E 2E 00 B6 D0 68 3E 80 2F 0C A9 FE 64 53 69 7A >
That is, if the password string is n bytes long, append the first 32 - n bytes of the padding string to the end
of the password string. If the password string is empty (zero-length), meaning there is no user password,
substitute the entire padding string in its place.
In PDF specification up to and including 1.3 the encryption is with just 40 bits, and with the proper software it will take from a few hours to a couple of days on pretty much any home PC to crack such a password. I even saw a tool guaranteeing to recover a 40bit encrypted file withing minutes with it's premium version.
PDFs secured with 128 bit encryption ( PDF specifications 1.4 to 1.7 ) will generally be much tougher to decrypt but still not impossible to "crack".
256 Bit encryption is used in PDF 1.7 extension 3 - and even with a moderns GPU card with CUDA support and the right software one is not guaranteed to break a proper, strong, non dictionary password in reasonable time.
This applies for document protected with an "open" password. Documents which do not require a password to be opened and have a password only to enforce some restrictions can be stripped of those restrictions within seconds.
So the alternative is to use a third party security handler like FileOpen - the support for which is coming in the new Viewer
Best,
Stefan
-
Bhikkhu Pesala
- User
- Posts: 1776
- Joined: Tue May 29, 2007 9:29 am
Re: Maximum PDF Password Length
Thank you for you prompt reply.Tracker Supp-Stefan wrote:So the "optimal" password would be a 32 byte one, but in any case the PDF file would be encrypted using a 32 byte password string. Then the next question is for the strength of the encryption algorithm that will use the above described password.
So I assume that there is not much benefit in permitting more than 32 characters, other than allowing the user greater freedom in choosing a password. The strength of encryption depends on the PDF version more than the length of the password.
Windows 10 Home 64-bit • AMD Ryzen 5 3400G, 8 Gb
Review: http://www.softerviews.org/PDF-XChange.html
Review: http://www.softerviews.org/PDF-XChange.html
-
Stefan - PDF-XChange
- Site Admin
- Posts: 19930
- Joined: Mon Jan 12, 2009 8:07 am
Re: Maximum PDF Password Length
HI Bhikkhu,
Yes the strength of protection of a PDF document is more dependent on the PDF specification used than on the password - WHEN the password is a strong one. As one of the first things each password breaking application will try is dictionary words - then the weakest point would be the password strength itself rather than the encryption algorithm used.
As for the maximum password length - yes it's better to be able to decide your own password lengths even if only the first 32 bytes of it will be used for securing your file.
Best,
Stefan
Yes the strength of protection of a PDF document is more dependent on the PDF specification used than on the password - WHEN the password is a strong one. As one of the first things each password breaking application will try is dictionary words - then the weakest point would be the password strength itself rather than the encryption algorithm used.
As for the maximum password length - yes it's better to be able to decide your own password lengths even if only the first 32 bytes of it will be used for securing your file.
Best,
Stefan