A team that gets PDF passwords right looks boring from the outside. No drama, no lockouts, no leaks. The boring version comes from following a small handful of rules consistently.
Length and entropy
Twelve characters is the floor; sixteen plus is comfortable. Use a generated passphrase from a password manager, not something invented at the keyboard. Diceware-style passphrases (four to five random words separated by hyphens) are easy to type and astronomically strong.
Avoid: names, dates, project codenames, anything in the document itself, anything used elsewhere.
One document, one password
Don't reuse a password across multiple PDFs. If one leaks, the rest leak. Keep a per-document password in a vault, with the file name as the entry.
For recurring documents (monthly payslips), rotate the password each cycle. For one-offs, generate a fresh passphrase per send.
Storage and rotation
Store passwords in a team password manager (1Password Teams, Bitwarden, LastPass). Plain spreadsheets are a leak waiting to happen. Tag entries with the recipient and the date.
Rotate when a recipient leaves, when a project closes, or when you discover the password was sent insecurely. Re-encryption is a one-step operation in Flint's password tool.
Distribution
File by one channel, password by another. Never both in the same email. Use a password manager's secure-send link to share, or a text message. Confirm the recipient opened the file, then mark the password as 'delivered' in your ledger.
For very high-sensitivity files, follow up with a phone call to confirm the password worked.
FAQ
How often should I rotate PDF passwords?
When a person with access leaves, when a project closes, or when there's any reason to think the password leaked. Calendar-driven rotation is overkill for most documents.
Can I write the password on the document itself?
No. That defeats the encryption — anyone who finds the document has the key.
Should everyone in the team know the password?
Only those who need to open the file. Smaller circles = smaller blast radius if it leaks.
Is 'P@ssw0rd123' strong enough?
No. It's in every cracking dictionary on the planet. Generate a real passphrase.
Good habits look boring. Encrypt your next PDF and start the boring streak.