Acrobat 9 and password encryption

Based on some recent online discussion of Acrobat 9 and password encryption, we’re posting to provide a quick summary on what has changed, how it impacts the overall security of PDF documents, and Adobe’s commitment to providing high-assurance document security implementations.


The current specification for password-based 256-bit AES encryption in PDF provides greater performance than the previous 128-bit AES implementation.  While this allows for 256-bit AES password protected documents to open faster in Acrobat 9, it can also allow external brute-force cracking tools to attempt to guess document passwords more rapidly because fewer processor cycles are required to test each password guess.  These tools operate independently of Acrobat and work directly on a password protected document by repeatedly guessing from lists of dictionary words like “turkey”, “potato”, and “pie” to see if the document will open.Adobe continues to recommend that customers using password-based encryption utilize long pass-phrases with upper case, lower case, numbers, and symbols to help mitigate dictionary attacks. With a longer phrase and more diversity of characters, there are many more permutations to guess. This significantly increases the time required to guess passwords, which in turn significantly increases the security of the protected document.Additional security measures were added to the 256-bit AES implementation of password security in PDF, and Adobe Acrobat and Adobe Reader 9 both support these measures.  Specifically, Acrobat 8 used pass-phrases of up to 32 Roman characters in length for 128-bit AES encryption.  Acrobat 9 now supports pass-phrases of 127 Roman characters in length for 256-bit AES encryption and added support for unicode characters.  In the permutation with repetitions formula used to calculate how many unique pass-phrases are possible, XY, Adobe has increased both X and Y in Acrobat 9. Pass-phrases can now be up to 4 times as long and support a greater number of international characters and symbols to be entered by keyboards around the world, which can greatly increase document protection when used properly.

Need help picking a long pass-phrase? Pick a line or two from your favorite song or poem and add numbers or symbols if they aren’t already there.

Adobe continues to make significant investments in document security.  Acrobat utilizes NIST FIPS 140 certified encryption libraries and is certified by the US Department of Defense (DoD) Joint Interoperability Test Command (JITC).  Adobe offers several document encryption methods at multiple levels of assurance and is considering additional security measures for future releases of password security that balance performance with security.For higher-assurance applications, Adobe continues to recommend using PKI-based encryption or Adobe LiveCycle Rights Management encryption – instead of user-generated document open passwords.  Acrobat and Adobe Reader 9 now support 256-bit AES encryption for both of these environments.  256-bit AES encryption is widely known to be stronger than 128-bit AES.  Document protection can also be increased with hardware tokens – including three-factor authentication with a smartcard, PIN and biometric.For more information about Adobe’s information assurance solutions in Acrobat, LiveCycle, and other applications, visit http://adobe.com/security

keywords: acrobat 9 password secure elcomsoft advanced pdf password recovery