A vendor's compliance form asks if your client PDFs are 'fully protected'. You ticked 'yes, password' and felt secure. The honest answer is more nuanced.
The recipient is the weakest control
Encryption keeps content private *until* the legitimate recipient opens it. After that, they can forward, screenshot, print, or paste content elsewhere. No password stops a human with intent.
This is why high-stakes documents use watermarks (so leaks are traceable), audit logs (so access is recorded), and DRM viewers (so even legitimate readers can't trivially exfiltrate content).
Metadata and structure leak
Encrypted PDFs sometimes leave document metadata (title, author, software, creation date) readable depending on the mode. They also leak document length (page count) and image counts. Most threat models don't care; some do.
If the existence of the document is itself sensitive, encryption isn't enough — you need to control where it lives, who knows about it, and what its file name reveals.
Brute force is possible against weak passwords
AES-256 itself is unbreakable. A six-character password isn't. Off-the-shelf tools try millions of guesses per second; weak passwords fall in minutes.
This is the most common real-world break. Mitigation is simple: use a 16-character passphrase generated by a password manager. Suddenly brute force takes longer than the universe has existed.
Same-channel password distribution
Send the password in the same email as the file and you've achieved nothing. Anyone intercepting the message gets both. Use a different channel — text, phone call, password manager secure-send.
Most real-world PDF leaks don't break the encryption; they exploit the human routing of the password.
What encryption can't replace
For documents that need authorship proof: add a signature. For documents that need to redact sensitive sections: redact properly. For documents that need recall: store them in a portal with revocable access, not as email attachments.
Password-protection is one layer in a sensible stack. Don't expect it to be all five.
FAQ
Is a password-protected PDF safe to email?
Safer than not. With a strong password and out-of-band sharing, it covers most everyday threats. Combine with redaction and signature for higher-stakes documents.
Can someone strip the password without knowing it?
Not for the open password — that's the encryption gate. Owner-password restrictions can be stripped trivially. Don't rely on them for confidentiality.
What's the most common real-world break?
Weak passwords and same-channel distribution. Both are user-side mistakes, not crypto failures.
Should I add more than one layer of protection?
For genuinely sensitive material, yes. Encryption + redaction + signature + controlled distribution is the standard stack.
Know what your password does — and what it doesn't. Layer it with proper redaction when content matters.