TL;DR: AES-256 is the highest encryption standard for PDF files. There are two independent protection layers - an open password and a permissions password. A weak password makes even the strongest encryption useless - use at least 12 characters. Remember: a password protects the file, not old unprotected copies of it.
What actually happens when you lock a PDF
When you protect a PDF with a password, you are not hiding the file - you are encrypting its contents. The data inside becomes an unreadable string of random-looking bytes. Only someone with the correct password can trigger the decryption process and see the real document.
Encryption operates on two layers:
- Content encryption - the page text, images, and data are scrambled and unreadable without the key
- Permissions mechanism - a separate layer that defines what actions are allowed even after the file is opened
AES-128 vs AES-256 - the practical difference
AES (Advanced Encryption Standard) is the encryption algorithm used in modern PDF protection. The numbers 128 and 256 refer to the length of the encryption key in bits.
| Factor | AES-128 | AES-256 |
|---|---|---|
| Key length | 128 bits | 256 bits |
| Possible key combinations | 2¹²⁸ | 2²⁵⁶ |
| Relative strength | Strong | Astronomically stronger |
| Performance | Slightly faster | Marginally slower |
| Software support | Widely supported | Widely supported |
| Recommended for | Standard documents | Sensitive documents, long-term archives |
The practical takeaway: Both are very strong for everyday use. AES-256 is simply the stronger of the two - and since there is no noticeable performance difference, there is no reason to choose the lower level when the higher one is available.
Why AES-256 is the preferred standard today: The performance difference is undetectable in everyday use, so there is no reason to settle for the lower protection level when the higher one is available.
The two protection levels explained
When protecting a PDF, there are two distinct mechanisms that can be applied independently:
Level 1: Open Password (User Password)
This is access control. Anyone who tries to open the file sees a password prompt. Without the correct password, the document cannot be opened at all.
- Protects: viewing the content entirely
- Best for: contracts, payslips, medical records, legal documents, anything that not everyone should access
- Important: the password must reach the recipient through a separate channel (not in the same email as the file)
Level 2: Permissions Password (Owner Password)
This is action control. The file opens without a password, but certain operations are blocked:
| Permission | What can be restricted |
|---|---|
| Printing | Block entirely or allow only low-resolution printing |
| Editing | Prevent content modification |
| Copying text | Prevent copy-paste (Ctrl+C) |
| Adding annotations | Prevent comments and markups |
| Filling forms | Prevent completing form fields |
Critical clarification: A permissions-only password does not protect the content from being read. Anyone who receives the file can open and read it - they just cannot perform the restricted actions.
When to use which?
- Confidential document - open password only, or both passwords
- Read-only circular or report - permissions password (blocks editing, allows reading)
- Fillable form that should not be altered - permissions password with editing blocked
- Highly sensitive document - both passwords together
How strong does the password need to be
The encryption can be perfect AES-256 - but if the password is "1234" or "pdf" or your company name, the encryption is worthless. The password is the weakest link in the chain.
What makes a password strong?
| Factor | Weak | Strong |
|---|---|---|
| Length | Fewer than 8 characters | 12 characters or more |
| Character types | Letters only | Letters + numbers + symbols |
| Guessability | Name, date, dictionary word | Random combination |
| Reuse | Same password everywhere | Unique for each file |
A practical approach: the passphrase method
Instead of trying to memorize "X7!kQ#mP2&", use a memorable phrase with substitutions:
- "MyContract2026!Signed" - easy to recall, hard to guess
- "Invoice#March-2026-Final!" - meaningful context, strong structure
- "Kovetz#Secure#Document2026" - mix of words and numbers
Length beats complexity: A 16-character password using common words is stronger than an 8-character password using complex symbols, because the key space is larger.
Use a password manager
For unique passwords per document, a password manager is the only realistic solution. It generates, stores, and fills strong passwords automatically. You only need to remember one master password.
What a password does not protect against
Understanding the limits of protection is as important as applying it. Strong password + AES-256 = excellent encryption. But:
Old unprotected backups
If you sent or shared the file before protecting it, the recipient already has the unprotected version. Protecting a new copy does not help.
The fix: Always protect the file before sending it. Not after.
Screenshots
Once the recipient opens the file with the correct password, they can take a screenshot of every page. No encryption protects against that. If the content is sensitive enough that screenshots are a concern, consider whether digital distribution is appropriate at all.
Weak passwords that can be guessed
Dictionary attacks try millions of common passwords in seconds. "pdf2024", "123456", the client's name, a birth date - all of these are scanned quickly. A random 12+ character password takes longer than any desktop computer can process in a human lifetime.
A forgotten password means a permanently locked file
There is no way to recover a forgotten PDF password. AES-256 encryption means that even the tool that created the file cannot open it without the password. Always save a copy of the password in a password manager the moment you set it.
More guides you may find useful
Common mistakes to avoid
Mistake 1: Setting permissions without an open password Many people restrict printing and editing but leave the content itself readable. If the document is sensitive, add an open password too.
Mistake 2: Using the same password for all files If one password leaks, all your protected files are exposed. Use a unique password for each sensitive document.
Mistake 3: Sending the password in the same message as the file Email the PDF, then send the password via SMS or a phone call. Never both in the same email thread.
Mistake 4: Protecting the file after it has already been shared If the file was sent without protection, protecting a new copy does nothing. Protect before sending - always.
Mistake 5: Not verifying the password actually works Before deleting the original unprotected version, open the protected copy and confirm the password works exactly as intended. Do not assume.
How to protect a PDF with Kovetz
Kovetz (kovetz.co.il) offers PDF password protection with AES-256 encryption - no software to install, works directly in the browser.
What you get:
- AES-256 encryption - the highest available standard
- Support for both protection levels (open password and permissions)
- Files are not stored on servers after processing
- Clean, straightforward interface
Click here to protect your PDF now.
Want to protect a PDF now?
With full Hebrew support
Frequently Asked Questions
What is the difference between AES-128 and AES-256 encryption?
AES-256 uses a key twice as long as AES-128, making it exponentially stronger. Both are considered secure for everyday use, but AES-256 is recommended for sensitive documents and long-term storage. The performance difference is negligible in practice.
What is the difference between an open password and a permissions password?
An open password (user password) blocks all access to the file - without it, the document cannot be read at all. A permissions password allows the file to open but restricts actions like printing, editing, and copying text. Each can be set independently, or both together.
How long does a PDF password need to be?
A strong password should be at least 12 characters. Combine uppercase and lowercase letters, numbers, and symbols. A memorable phrase with substitutions (like 'Secure2026!') is far stronger than a short, complex password you can't remember and end up writing on a sticky note.
Does a PDF password protect against someone viewing the contents?
Only an open password protects against viewing. A permissions-only password does not block reading - it only restricts actions. If you set only a permissions password, anyone who receives the file can open and read it freely.
What does a PDF password not protect against?
A password does not protect against: old unprotected backups of the file, accidentally sharing the password itself, screenshots taken of the open document, or weak passwords that can be guessed or cracked. The encryption itself is strong - the weak link is almost always the human.
Should I use a different password for each PDF file?
Yes, strongly recommended. Using one password for all sensitive files means that if it leaks, every file is exposed. Use a password manager to store a unique password for each important document - it takes seconds and dramatically reduces your risk.