PDFUnlock Guide
PDF Encryption Explained: RC4, AES-128, AES-256
A technical but accessible explanation of how PDF encryption works — from legacy RC4-40 to modern AES-256. Understand why some PDFs are easy to crack and others are nearly impossible.
· PDFUnlock Team
Every encrypted PDF uses one of four encryption algorithms, and the algorithm determines almost everything about whether the password can be recovered. This guide explains each one in plain language, with enough technical detail to understand why a 25-year-old PDF is trivially crackable while a modern one might be unbreakable.
If you just want to know which encryption your PDF uses, upload it to PDFUnlock — the analysis is free and instant.
How PDF Encryption Works at a High Level
When you set a password on a PDF, the application (usually Adobe Acrobat) does not simply “lock” the file. It transforms the entire document content using a mathematical cipher. The password you choose becomes the key that reverses this transformation.
The PDF specification defines an encryption dictionary stored in the file header. This dictionary contains the algorithm identifier, the key length, permissions flags, and a set of verification hashes. When you type a password to open the file, the PDF reader hashes your input using the parameters from this dictionary and checks whether the result matches the stored hash. If it matches, the reader derives the decryption key and decodes the document.
This is why password recovery tools do not need the full PDF — they only need the encryption dictionary (a few hundred bytes). The hash extracted from this dictionary is what cracking tools like Hashcat work against.
RC4-40: The Legacy Cipher (Acrobat 2-4)
RC4-40 was the first encryption algorithm used in PDF files, introduced in the mid-1990s. The “40” refers to the key length: 40 bits.
Why it is weak: A 40-bit key means there are only about 1.1 trillion possible keys. That sounds like a lot, but a modern GPU can test over 20 billion keys per second. The entire key space can be exhausted in under a minute. This means every RC4-40 PDF can be cracked regardless of password complexity — even a 50-character random password falls because the effective security is limited by the 40-bit key, not the password length.
How to identify it: PDFs created with Acrobat 2, 3, or 4 (roughly 1996-2001) use RC4-40 by default. The encryption dictionary shows /V 1 and /Length 40. PDFUnlock reports these as “RC4-40” with a green badge indicating near-certain recovery.
Recovery time: Seconds to minutes. Success rate is effectively 100%.
RC4-128: The Extended Key (Acrobat 5-8)
Acrobat 5 (released in 2001) upgraded the key length to 128 bits while keeping the RC4 stream cipher. The key space jumped from 2^40 to 2^128 — a number so large that exhaustive search is impossible.
Why it is still vulnerable: Although the key space cannot be brute-forced, the passwords that generate those keys are human-chosen. Most people use dictionary words, names, dates, and predictable patterns. A dictionary attack that tests the 14 million passwords in the rockyou.txt wordlist — plus common rules like appending numbers, capitalizing letters, and substituting characters — covers the vast majority of real-world passwords.
Cracking speed: RC4-128 hashing is relatively fast. A modern GPU can test around 1.5 billion password candidates per second against an RC4-128 PDF. A full dictionary attack with aggressive rule mutations completes in minutes to hours.
Recovery success rate: 70-85% for typical passwords. Truly random passwords longer than 10 characters are generally safe.
AES-128: The Modern Cipher (Acrobat 9)
Adobe Acrobat 9 (2008) replaced RC4 with AES (Advanced Encryption Standard) using 128-bit keys. AES is a block cipher, fundamentally different from the stream cipher RC4, and is considered cryptographically sound by modern standards.
What changed for cracking: AES-128 hashing is computationally more expensive than RC4-128. Each password candidate requires more work to test, which reduces the number of candidates a GPU can evaluate per second. A typical GPU tests around 200-400 million AES-128 candidates per second — still fast, but 3-7 times slower than RC4-128.
The password derivation function matters: Acrobat 9 uses a more complex key derivation scheme (based on MD5 with 50 rounds of RC4 for the password check). This is slower per candidate than RC4-128 but still far faster than modern password hashing functions like bcrypt or Argon2.
Recovery success rate: 50-70%. Dictionary attacks remain effective because humans still choose weak passwords, but the reduced cracking speed means fewer candidates can be tested within a given time budget.
AES-256: Maximum Security (Acrobat 10+)
Acrobat X (2010) and all subsequent versions use AES-256 — the strongest option in the PDF specification. The key derivation also changed significantly: Acrobat X uses SHA-256 with iterative hashing, and Acrobat XI/DC introduced an even more expensive key derivation scheme.
Why AES-256 is genuinely hard: The combination of a strong cipher (AES-256), a large key space (2^256), and an expensive key derivation function means that each password candidate takes significantly more computation to test. A top-end GPU manages roughly 2-4 million candidates per second — roughly 500 times slower than RC4-128.
The math does not lie: At 3 million tests per second, checking the full 14-million-word rockyou.txt dictionary takes about 5 seconds. Adding common mutation rules (which multiply the search space by 1000-10000x) pushes the time to hours or days. Brute-forcing all possible 8-character passwords (containing lowercase, uppercase, digits, and symbols) would take over 200 years on a single GPU.
Recovery success rate: 15-25%. Only passwords that appear in common dictionaries or use very predictable patterns can be recovered. Truly random passwords of 8+ characters are practically unrecoverable.
How to Check Your PDF’s Encryption Type
You do not need to be a technical expert to determine which encryption your PDF uses. Here are several methods:
PDFUnlock (easiest): Upload the file to pdfunlock.app. The analysis page shows the exact encryption type, key length, and estimated recovery success rate — all for free.
Adobe Acrobat Reader: Open the PDF (if you can), go to File > Properties > Security. The “Security Method” field shows the encryption level.
Command line (qpdf): Run qpdf --show-encryption yourfile.pdf. This displays the algorithm, key length, and all permission flags.
What This Means for Password Recovery
The encryption type determines whether recovery is likely, possible but uncertain, or practically impossible:
| Encryption | Key Length | Speed (GPU) | Success Rate | Typical Time |
|---|---|---|---|---|
| RC4-40 | 40-bit | 20B/s | ~100% | Seconds |
| RC4-128 | 128-bit | 1.5B/s | 70-85% | Minutes-hours |
| AES-128 | 128-bit | 300M/s | 50-70% | Hours |
| AES-256 | 256-bit | 3M/s | 15-25% | Hours-days |
The most important takeaway: the encryption type matters far more than the password length for recovery feasibility. An RC4-40 PDF with a 30-character password is easier to crack than an AES-256 PDF with a 6-character password, because the RC4-40 key space is small enough to search exhaustively.
Conclusion
PDF encryption has evolved dramatically over 30 years. If your locked PDF is old (created before 2008), recovery is very likely. If it uses modern AES-256, success depends entirely on the password strength. The first step is always to check what you are dealing with — upload your PDF to PDFUnlock for a free, instant analysis.