How to Password Protect a PDF — Free, Real AES Encryption

lock

Protect PDF with real AES

Free, browser-based PDF password protection using genuine AES-256 encryption. Your file never uploads.

Try it arrow_forward

Three types of "PDF protection" — only one is real

When you search for "free PDF password tool" you'll find dozens of results. They fall into three categories with very different security:

1. AES-256 encryption (the real thing)

Industry-standard encryption used by Adobe Acrobat, banks, and government systems. The PDF content is mathematically scrambled with your password as the key. Without the password, the content is computationally impossible to recover (would take billions of years on current hardware). This is what you want for sensitive documents.

Tools that use it: Adobe Acrobat (paid), ShrinkTo, PDF24 desktop, Foxit Pro, Stirling-PDF.

2. 40-bit / 128-bit RC4 encryption (deprecated)

Older encryption standard from the 1990s. The 40-bit version was cracked in 2003 and can be brute-forced in minutes on modern hardware. The 128-bit version is harder to crack but still uses the deprecated RC4 cipher. Some free PDF tools default to RC4 because their underlying library is old.

Risk: Anyone with patience and free cracking tools (multiple exist) can open your "protected" PDF.

3. Metadata-only "protection" (fake)

The worst category. The PDF isn't actually encrypted — there's just a metadata flag that says "this PDF requires a password." Most PDF readers respect the flag and ask for a password. But ANY PDF tool that ignores the flag (lots of them do, including most online viewers) opens the document directly. The password isn't checked because there's nothing encrypted to check it against.

How to spot it: If the tool is suspiciously fast (under 1 second to "encrypt" a 50 MB file), it's probably metadata-only. Real encryption takes 5-15 seconds for large files.

Step-by-step: add real AES-256 protection

1. Choose a tool that uses AES-256. ShrinkTo (browser), PDF24 desktop (offline), Adobe Acrobat (paid), or Stirling-PDF (self-hosted). Avoid generic "online PDF password" tools without verifying their encryption method.
2. Open the protect-PDF tool. On ShrinkTo's protect tool, drop your PDF into the workspace.
3. Choose a strong password. 12+ characters with mixed case, numbers, and symbols. Don't use birthdays, names, or dictionary words. Use a password manager to generate one if you can.
4. Set the open password. This is the password required to view the document. The tool may also offer a separate "permissions password" — you can use the same one or set them differently.
5. Configure permissions (optional). Decide whether viewers can print, copy text, or edit annotations. For sensitive documents, restrict all of these.
6. Apply protection and download. The encryption process takes 5-15 seconds for typical PDFs. Download the encrypted file with a recognizable name (e.g., "contract_protected.pdf").
7. Verify it actually works. Open the protected PDF in any PDF reader (Adobe, Foxit, Chrome). It should prompt for a password. Try entering a wrong password — it should refuse to display content.
8. Store the password securely. If you lose the password, you cannot open the PDF. Store it in a password manager (1Password, Bitwarden, etc.) — not in the same email or folder as the PDF.

Choosing a strong password

The encryption is only as strong as the password. AES-256 is uncrackable with a 256-bit key, but if your password is "password123" the attacker doesn't need to break the encryption — they just guess the password.

• 12+ characters minimum. Each additional character roughly doubles the time to brute-force.
• Mix character types. Lowercase, uppercase, numbers, symbols. A 12-character all-lowercase password takes hours to crack; a 12-character mixed password takes years.
• Avoid dictionary words. Crackers try dictionary words first — even with character substitution like "P@ssw0rd". A random string is exponentially safer.
• Don't reuse passwords. If your PDF password matches your email password and the email gets breached, the PDF is compromised too.
• Use a passphrase. "correct horse battery staple" (4 random words, 28 chars) is genuinely hard to crack and easier to remember than random characters. Use a tool like the EFF's diceware list to generate one.

PDF permissions — controlling what viewers can do

AES-encrypted PDFs support fine-grained permissions in addition to the open password:

• Printing: Allow / restrict to low resolution / forbid entirely
• Document changes: Allow / forbid editing the content
• Content copying: Allow / forbid copying text or images
• Form filling: Allow / forbid filling form fields
• Page extraction: Allow / forbid extracting individual pages
• Document assembly: Allow / forbid inserting/deleting/rotating pages
• Commenting: Allow / forbid annotations
• Accessibility: Always allow text-to-speech (recommended for ADA compliance)

For shared confidential documents, a common combination is: open password required, no printing, no copying, no editing — viewers can read it on screen but can't extract or modify content. Note: technical workarounds exist (screenshots, screen recording), so permissions are deterrent, not absolute prevention.

Browser-based vs online — why it matters for sensitive PDFs

If you're password-protecting a PDF, the document is presumably sensitive. Uploading it to a third-party server to "encrypt" it is contradictory — the server has the unencrypted file before encryption begins.

For genuinely sensitive PDFs, use:

• Browser-based tools: ShrinkTo performs all encryption in your browser using JavaScript libraries. The PDF never leaves your device. Verify via DevTools Network tab — no upload requests during processing.
• Offline desktop apps: Adobe Acrobat (paid), PDF24 desktop, or Foxit Pro all run entirely on your computer.
• Self-hosted: Stirling-PDF on your own server.

Avoid uploading sensitive PDFs to unverified online password tools — even if they're free.

How to verify your PDF is actually encrypted

Don't trust the tool's confirmation message. Verify the encryption yourself:

1. Try opening with a wrong password. The PDF should refuse to display content. If it shows a "wrong password" dialog but lets you cancel and read anyway, the protection is fake.
2. Check the encryption algorithm. In Adobe Acrobat: File → Properties → Security tab. It should show "AES 256-bit" or similar. If it shows "RC4 40-bit" or "None", re-protect with a better tool.
3. Try a free PDF unlock tool. If a tool like SmallPDF's "unlock PDF" can open your file without a password (it shouldn't), the protection is fake or weak.
4. Test in multiple readers. Open in Adobe, Foxit, Chrome's PDF viewer, and Apple Preview. All should require the password. If any opens without prompting, the protection is metadata-only.

Common mistakes

• Using weak passwords. AES-256 with "1234" as the password is brute-forced instantly. Use 12+ random characters.
• Storing the password in the same email as the PDF. Defeats the purpose. Send password via a separate channel (text message, phone call).
• Forgetting the password. If you forget, you cannot recover the PDF. There is no Adobe support call that can help. Store the password in a password manager.
• Trusting "we'll email you the password" tools. If a tool can email you the password, it stored your password in plain text — meaning the encryption is fake or weak.
• Using metadata-only "protection" for legal documents. If the document gets disputed in court, metadata-only protection is essentially zero protection. Use real AES.
• Removing the password before sending. If you encrypt then forget you removed it, the recipient gets an unprotected PDF. Verify before sending.

Frequently asked questions