What is the difference between PDF "user password" and "owner password"?

User password (also called "open password") is required to open the PDF. Without it, the file cannot be decrypted by any viewer. Owner password (also called "permissions password") restricts what the recipient can do after opening — modify, print, copy text. The owner-password restrictions are largely advisory: most modern PDF editors honour them by greying out menus, but many tools (PDFsam, qpdf, and most paid editors) will ignore them with one click. Use the user password for actual confidentiality (no password = no access); use owner-password restrictions only as a soft signal of intent, not as security.

How strong does the password need to be?

For AES-256 PDF encryption, a 12+ character password mixing letters, numbers, and symbols is well beyond brute-force range with current hardware (>10^20 combinations). For AES-128, 14+ characters is similarly safe. For older RC4 encryption (default in PDF 1.6 and earlier), no password length is genuinely safe — modern cracking tools defeat RC4 PDFs in hours regardless of password complexity. Choose modern AES-256 if your reader supports it (Acrobat 9 and later, most modern readers). Avoid dictionary words and personal information; favour passphrase patterns (random four-word combinations are both memorable and high-entropy).

When should I use expiry links versus password-protected PDFs?

Use both, layered. Password-protected PDFs protect the file itself: anyone who has the file but not the password cannot open it, ever. Expiry links protect the access channel: even with the password, the file is only downloadable for a finite window (24 hours, 7 days, until first view). For board materials, M&A documents, and pre-announcement product roadmaps, both layers are appropriate — the password defends against the file leaking, the expiry defends against the link being forwarded. For ordinary contracts and invoices, password alone is overkill; an unprotected email attachment is typically fine.

How do I add a recipient-specific watermark for traceability?

Apply a visible watermark with the recipient's name, organisation, and a timestamp on every page of the PDF before sending. ScoutMyTool Watermark PDF supports this directly. If the document later appears in an unauthorised place, the watermark identifies which recipient leaked it (or, equally important, which recipient was breached). For high-stakes documents, also include a unique tracking code per recipient — useful when the same document is sent to many recipients and the watermark text alone is not distinctive enough. Watermarks deter accidental forwarding far more than determined leaking, but the deterrence effect is meaningful.

Can I revoke access to a PDF after it has been sent?

Not really — a PDF, once delivered, is a self-contained file. Even with DRM, revocation depends on the reader honouring a "phone home" check, which most readers do not. The practical approach: do not send the file directly; instead, send a link to a hosted file you control, set an expiry, and revoke the link if needed. The recipient sees a link, downloads the file to view, and (depending on the platform) may not be able to keep a copy after expiry. For true revocation, use a document-rights-management platform (Adobe Experience Manager DRM, Locklizard, FileOpen) which requires a controlled reader and enforces revocation at open-time.

Are free online PDF protection tools actually secure?

Client-side tools are secure by default — your file never leaves the machine, so the protection step itself does not create a new exposure. ScoutMyTool Protect PDF, Password Protect runs in the browser; the file is never uploaded. Server-side tools (Smallpdf, iLovePDF) upload your file, apply protection on their server, and stream the protected file back. For non-sensitive documents this is fine; for sensitive documents the upload defeats the purpose of protecting the file in the first place. Always check whether a "free protection" tool is client-side or server-side; the distinction matters more than which encryption algorithm they advertise.

How do I share a password with the recipient without it leaking too?

Out-of-band sharing — different channel from the file itself. Common pattern: email the password-protected PDF, send the password by SMS, encrypted messaging app (Signal, WhatsApp), or in-person/phone call. The key is that someone who intercepts the email does not also see the password. For ongoing recipient relationships, agree on a memorable password convention once verbally (e.g. "use the standard project password we agreed on"); thereafter, no per-document transmission is needed. For one-off recipients, use a temporary password and an out-of-band channel.

How to share PDFs securely — passwords, expiry links, watermarks (2026)

6 min read

How to share PDFs securely — passwords, expiry links, watermarks

By ScoutMyTool Editorial Team · Last updated: 2026-05-20

A board deck, an M&A teaser, a salary letter, an unpublished research paper — every week brings a PDF that should be readable by exactly one recipient and no one else. The defaults (attach to email, send) work for ordinary documents and fail for sensitive ones. This article maps the three layers of PDF sharing security (password, expiry, watermark), what each actually protects against, and the specific patterns for the three most common high-sensitivity scenarios.

The three security layers — what each protects against

Layer	Protects against	Does NOT protect against
PDF password (user password)	Opportunistic access by anyone who intercepts the file without the password	Anyone with the password can copy, forward, or share the file freely
PDF owner password + restrictions	Casual modification, printing, or copy-paste	Restrictions are routinely bypassed by any decent PDF editor; deterrent only
AES-256 file encryption	Brute-force password attacks (for strong passwords); intercepted file at rest	A user with the password and any standard reader
Expiry-based sharing links	Forwarded access after the expiry; long-lived URL exposure	Anyone who downloads the file before expiry
Visible watermark with recipient name	Casual screenshot-and-forward (recipient is identifiable)	Determined leak; watermarks deter but do not prevent
Digital rights management (DRM)	Unauthorised opening of the file outside an authorised reader	Anyone who can run authorised software can extract content

Step by step — share a board deck (high sensitivity)

Add a per-recipient visible watermark. Use Watermark PDF with recipient name + date on every page. If the document leaks, the watermark identifies which recipient had access.
Apply AES-256 password protection with a strong passphrase (12+ characters, mixed). Use Protect PDF — runs in your browser, no upload.
Host on a controlled share platform with link expiry (most corporate file-share platforms support this: Box, Dropbox Business, Google Drive). Set expiry to 7 days unless the meeting agenda dictates longer.
Send the link via email; send the password via SMS or Signal. Different channel for password than the file itself. If either channel is intercepted alone, the document remains protected.
Verify recipient receipt — quick acknowledgement message ("confirmed you got both?"). Revoke the share link after the meeting if the file is no longer needed. Archive an unwatermarked, unencrypted copy in your own secure storage for the record.

PDF security guide: deeper coverage of password types and encryption.
PDF redaction guide: redact sensitive content before sharing.
Add a watermark to a PDF: per-recipient watermarking mechanics.
PDF compatibility: AES-256 vs AES-128 trade-offs for older readers.
PDF metadata editor: clean metadata before sharing externally.
PDF for accountants: Section 7216 considerations.
ScoutMyTool Protect PDF: the protection tool — free, client-side.

FAQ

What is the difference between PDF "user password" and "owner password"?: User password (also called "open password") is required to open the PDF. Without it, the file cannot be decrypted by any viewer. Owner password (also called "permissions password") restricts what the recipient can do after opening — modify, print, copy text. The owner-password restrictions are largely advisory: most modern PDF editors honour them by greying out menus, but many tools (PDFsam, qpdf, and most paid editors) will ignore them with one click. Use the user password for actual confidentiality (no password = no access); use owner-password restrictions only as a soft signal of intent, not as security.
How strong does the password need to be?: For AES-256 PDF encryption, a 12+ character password mixing letters, numbers, and symbols is well beyond brute-force range with current hardware (>10^20 combinations). For AES-128, 14+ characters is similarly safe. For older RC4 encryption (default in PDF 1.6 and earlier), no password length is genuinely safe — modern cracking tools defeat RC4 PDFs in hours regardless of password complexity. Choose modern AES-256 if your reader supports it (Acrobat 9 and later, most modern readers). Avoid dictionary words and personal information; favour passphrase patterns (random four-word combinations are both memorable and high-entropy).
When should I use expiry links versus password-protected PDFs?: Use both, layered. Password-protected PDFs protect the file itself: anyone who has the file but not the password cannot open it, ever. Expiry links protect the access channel: even with the password, the file is only downloadable for a finite window (24 hours, 7 days, until first view). For board materials, M&A documents, and pre-announcement product roadmaps, both layers are appropriate — the password defends against the file leaking, the expiry defends against the link being forwarded. For ordinary contracts and invoices, password alone is overkill; an unprotected email attachment is typically fine.
How do I add a recipient-specific watermark for traceability?: Apply a visible watermark with the recipient's name, organisation, and a timestamp on every page of the PDF before sending. ScoutMyTool Watermark PDF supports this directly. If the document later appears in an unauthorised place, the watermark identifies which recipient leaked it (or, equally important, which recipient was breached). For high-stakes documents, also include a unique tracking code per recipient — useful when the same document is sent to many recipients and the watermark text alone is not distinctive enough. Watermarks deter accidental forwarding far more than determined leaking, but the deterrence effect is meaningful.
Can I revoke access to a PDF after it has been sent?: Not really — a PDF, once delivered, is a self-contained file. Even with DRM, revocation depends on the reader honouring a "phone home" check, which most readers do not. The practical approach: do not send the file directly; instead, send a link to a hosted file you control, set an expiry, and revoke the link if needed. The recipient sees a link, downloads the file to view, and (depending on the platform) may not be able to keep a copy after expiry. For true revocation, use a document-rights-management platform (Adobe Experience Manager DRM, Locklizard, FileOpen) which requires a controlled reader and enforces revocation at open-time.
Are free online PDF protection tools actually secure?: Client-side tools are secure by default — your file never leaves the machine, so the protection step itself does not create a new exposure. ScoutMyTool Protect PDF, Password Protect runs in the browser; the file is never uploaded. Server-side tools (Smallpdf, iLovePDF) upload your file, apply protection on their server, and stream the protected file back. For non-sensitive documents this is fine; for sensitive documents the upload defeats the purpose of protecting the file in the first place. Always check whether a "free protection" tool is client-side or server-side; the distinction matters more than which encryption algorithm they advertise.
How do I share a password with the recipient without it leaking too?: Out-of-band sharing — different channel from the file itself. Common pattern: email the password-protected PDF, send the password by SMS, encrypted messaging app (Signal, WhatsApp), or in-person/phone call. The key is that someone who intercepts the email does not also see the password. For ongoing recipient relationships, agree on a memorable password convention once verbally (e.g. "use the standard project password we agreed on"); thereafter, no per-document transmission is needed. For one-off recipients, use a temporary password and an out-of-band channel.

Citations

ISO 32000-1:2008 — "Document management — Portable document format" — §7.6 (Encryption).
NIST Special Publication 800-38A — Block Cipher Modes of Operation (AES).
OWASP — "Cryptographic Storage Cheat Sheet" — best-practice password and key handling.
FIPS 197 — Federal Information Processing Standard for AES.
Adobe Acrobat documentation — PDF security options and encryption levels.

Three layers of PDF security in your browser

Watermark, encrypt, and prepare for expiry-link sharing — all client-side, free, no upload. Your sensitive PDFs never touch a third-party server.

Open Protect PDF tool →