← Back to all posts

PDFUnlock Blog

What is PDF encryption?

A practical guide to PDF encryption: owner vs user passwords, RC4 vs AES, and what "strong" really means.

· by PDFUnlock team · 7 min read

PDF files can carry two very different kinds of protection, and understanding which one you are dealing with is the first step towards getting back into your document.

Owner password vs user password

A user password is what you type to open the file. Without it, the document cannot be decrypted at all — the binary content stays scrambled.

An owner password is completely different. The file opens without prompting, but the creator has flagged it as read-only or print-disabled. Tools that honour these flags (Adobe Reader, most browsers) will refuse to let you copy, edit or print. Owner passwords are cosmetic — they are stored in plain text inside the PDF itself, and removing them takes milliseconds.

PDFUnlock removes owner passwords for free. If your PDF opens fine but you can’t print it, you don’t need to pay anyone — drop the file on our home page and you’ll get the unrestricted version in seconds.

RC4 vs AES

The encryption algorithm depends on which version of Acrobat was used to create the PDF.

  • RC4-40 (Acrobat 2–4): the only 40-bit cipher ever shipped to consumers. It’s trivially breakable. A modern GPU cracks any RC4-40 PDF in under a minute.
  • RC4-128 (Acrobat 5–8): the 128-bit variant. Dictionary attacks are fast; random 8+ character passwords are hard.
  • AES-128 (Acrobat 9): a proper modern cipher. Brute forcing long random strings is infeasible, but most real-world passwords come from dictionaries and still fall to rule-based attacks.
  • AES-256 (Acrobat 10 and up): the strongest option shipped with Acrobat. Only dictionary and rule-based attacks have a reasonable chance of success; a truly random 12+ character password is mathematically out of reach on current hardware.

Why the success rate varies so much

Our honest estimate is about 100 % for RC4-40, 50 % for RC4-128/AES-128, and 20 % for AES-256. The difference isn’t the algorithm — the algorithm is solid. It’s the password itself. When people choose a password they reach for something memorable: a birthday, a child’s name, a song lyric. Those patterns are in the dictionaries we try, and rule-based attacks cover common substitutions (@ for a, 1 for i, and so on). If your password came from a password manager and looked like t9^Jq2p@Zr, no amount of compute is going to recover it.

What to do next

  1. Upload your PDF to PDFUnlock. We detect the encryption type and run a free quick test against the 1 000 most common passwords.
  2. If the quick test finds it, you’re done — no payment needed.
  3. If it doesn’t, you can start a deep recovery. We charge once — and only if we actually find the password.

That’s it. If you have more questions, our FAQ covers the most common ones.

Ready when you are

Unlock your PDF in the next 60 seconds

Free for owner passwords. Pay-on-success for user passwords. No account. No card. Just the file and a result.

Drop your PDF now See pricing first