A client asks if the report is encrypted. You say yes — it has a password. They ask what cipher. You don't know. That moment is when the difference between the two words becomes urgently important.
The password is the door key
A password is a string of characters you type to prove you're allowed in. It's *human-shaped* — it can be guessed, written down, shared, forgotten, brute-forced. The strength of a password is measured in entropy: how hard would it be to try every possibility?
A twelve-character random password has billions of possibilities. A six-character one has very few. Same idea, very different security.
Encryption is the lock mechanism
Encryption is the maths that turns readable content into unreadable bytes. It runs a key (derived from the password) through a cipher (AES-128 or AES-256, for modern PDFs). The cipher is the bit that actually keeps the data secret.
You can have strong encryption with a weak password — and the weak password is the failure point. You can have a strong password with old encryption (RC4-40, from 1990s PDFs) — and the cipher is the failure point.
Why people conflate them
Because when you 'password-protect' a PDF, you're doing both at once. The password is the input; encryption is the output. UI usually just asks for a password and quietly does the encryption behind it.
That's fine — until someone asks 'what cipher?' or 'is this AES-256?'. The answer matters in regulated industries. Compliance teams want both: a strong cipher *and* a strong password policy.
FAQ
If a PDF has a password, is it encrypted?
Almost always yes — modern PDF tools encrypt as part of password protection. But check the cipher: AES-256 is current best practice; AES-128 is acceptable; anything older should be re-encrypted.
Can a PDF be encrypted without a password?
Yes, with certificate-based encryption — the file is encrypted with a public key, and only the holder of the corresponding private key can open it. Less common, used in enterprise PKI setups.
Is the password stored inside the PDF?
No. A hash derived from the password is used to unlock the encryption key. The password itself is never written into the file.
Which matters more, password or cipher?
Both, but the password is almost always the weaker link. AES-256 is functionally unbreakable; a six-character password is breakable in minutes.
Use a strong password *and* modern encryption — Flint applies both by default.