A very common pattern in Australian professional services: you've got a confidential document to send, so you "password-protect" it in PDF and email it. Here's why that pattern is giving you false confidence — and what actual encryption looks like.

What PDF password protection actually does

PDF has two types of "passwords": an owner password (restricts editing, printing, copying) and a user password (restricts opening the document). Only the user password provides any real protection, and only on older PDFs with strong encryption.

Here's the catch: PDF password protection with modern AES-256 is actually decent encryption. The weakness is almost always in the password itself, not the algorithm. A password like "audit2026" will be cracked by any off-the-shelf tool in under a minute. A properly random 16-character password is effectively unbreakable — but nobody uses those.

The practical attacks

In practice, "encrypted" PDFs leak in these ways:

Weak passwords chosen by humans. The password you send separately is almost never strong.
Password reuse. The same password is used on multiple documents, and when one leaks, they all leak.
Password transmission. The password gets sent via SMS, email, or voicemail — often through channels at least as exposed as the original email.
Stripping tools. For older PDF protection or weak passwords, free online tools strip the protection in under a minute.
Screenshot and retype. Once the PDF is open, the content is no longer encrypted. Any viewer can screenshot, print, or forward.

What "actually encrypted" means

Real encrypted document sharing works differently. The document is stored encrypted at rest on the server. Access is gated by authenticated identity (not a shared password). The document is decrypted only inside a viewer that the server controls. The viewer enforces download/print/copy restrictions at the application layer. And every access is logged with cryptographic non-repudiation.

The key difference is that the recipient never holds the encrypted file, only a session-scoped view. You retain control of the content at all times, not just during transmission.

When is PDF password protection OK?

For low-stakes documents where you just want to add friction against casual access, a password-protected PDF is fine. For anything where a leak would be a real problem, it's security theatre. The audit trail is the giveaway: if you can't tell me who viewed the document last week and for how long, you don't have security, you have hope.