You set a password on the merger document. It was your dog's name and the year you graduated. A determined laptop with off-the-shelf software cracks that in under an hour. The lock was theatre, not security.
A strong password is the cheapest, most effective control you can put on a sensitive PDF — but only if you actually pick a strong one.
Length beats complexity
Brute-force attacks try every combination. Each extra character multiplies the work by 70-ish (lowercase + uppercase + digits + symbols). Twelve characters is the modern floor; sixteen is comfortable; twenty-plus and you're basically untouchable for the document's useful lifetime.
A passphrase like `winter-rabbit-clock-bureau-42` is easier to remember than `Xg7!q` and astronomically harder to crack.
What to avoid
Never use: your name, your company name, your kid's name, a date that matters to you, dictionary words on their own, the word password, or anything that appears in the document itself. Attackers feed all of these into their first-pass dictionary.
Don't reuse a password from any other account. If that password leaks anywhere else, your PDF is now part of the same breach.
Generate, don't invent
Humans are terrible random number generators. Use a password manager (1Password, Bitwarden, KeePass) to generate a 20-character random string or a 5-word diceware passphrase. Save it to the vault and copy-paste it into Flint's password tool.
When you need to share the password, share it through a different channel than the file — Signal, a phone call, or your password manager's secure-send feature.
Strength vs convenience
There's a real trade-off. If a colleague needs to open the file on their phone, a 30-character random string is going to get retyped wrong four times. Passphrases hit a sweet spot — three or four random words separated by hyphens.
For archived files you rarely open, max out the length. For working documents passed around a small team, use a passphrase the team can actually type.
FAQ
How long should a PDF password be?
Twelve characters minimum, sixteen or more preferred. A four-word passphrase gives roughly the same strength as a sixteen-character random string and is far easier to type.
Is AES-256 stronger than AES-128 for PDFs?
Yes — but the password is almost always the weakest link, not the cipher. A weak password makes either useless. A strong password makes either fine.
Should I write the password down?
In a password manager, yes. On a sticky note next to your monitor, no. The point of a strong password is undermined if it's stored insecurely.
Can I use the same password for every PDF?
Don't. If one file leaks, every file leaks. Generate a unique password per document and store them in a vault.
Pick a password your future self would respect. Then apply it to your PDF before sending.