How to add password protection to a PDF file

What password protection actually protects you from

Encryption is a high-confidence tool against very specific threats and useless against others. Knowing which is which keeps you from over-trusting it.

• Defends well: Someone who intercepts the file in transit (open Wi-Fi, compromised email server, lost USB stick, leaked cloud-storage link) but does not have the password. Someone who finds the file later on a stolen laptop. A misdirected email that goes to the wrong inbox. In all of these the encrypted file is opaque without the password.
• Useless against: The intended recipient. Once you share the password, the recipient can read everything, copy the text, screenshot every page, print to another PDF without protection, or forward the original file with the password to anyone else. Encryption is access control, not usage control. For "the recipient can read it but not print it" you need DRM, which is a different category of tool (Acrobat Pro with rights management, FileOpen, Vitrium) and rarely free.
• Useless against: A weak password. AES-256 is currently considered unbreakable against brute force on a long, random password¹. It is trivially breakable against "password123" — modern GPU rigs test billions of dictionary guesses per second. Picking the right password is more important than picking the right encryption.

Step-by-step: add a password to a PDF

The ScoutMyTool Protect PDF tool lives at scoutmytool.com/pdf/protect-pdf. Encryption is done server-side because shipping a full AES-256 + qpdf implementation to every browser would add 30 MB to the page load; the file is uploaded over HTTPS, encrypted in a per-request temp directory, and the temp files are deleted immediately after the response is sent.

1. Pick your password before opening the tool. Use a password manager to generate it — 16 characters with mixed case, digits, and symbols is a solid default. Save it to the password manager first, then copy it to the tool. Generating-then-typing into the tool first is how passwords get lost (you protect the file, share it, then realise you never wrote the password down — the file is now permanently encrypted to you).
2. Open the tool and drop your PDF. One file at a time, up to 50 MB. If your file is larger, run it through Compress PDF first (image-heavy docs shrink 3–5×) or split into chunks under 50 MB with Split PDF, encrypt each chunk separately, and merge them back together.
3. Paste the password into the password field. Minimum 4 characters (enforced by the tool — anything shorter fails with a clear error), no maximum. The hint under the field reminds you that there is no recovery if you forget it; treat this as a structural property of the cryptography, not an implementation limit.
4. Click "Protect PDF". The tool runs a client-side pre-flight first (file size < 50 MB, file not already encrypted) to fail fast before initiating any upload — saving you the upload-then-server-rejection round trip. Then it uploads, encrypts server-side with AES-256, and streams the protected file back as a download.
5. Test the protected file before sending. Open it locally in any reader; you should see a password prompt. Type the password; the PDF opens. Type a wrong password; access is denied. Two quick tests, ten seconds total, confirms the protection actually applied.
6. Send the file and password through different channels. If you email the file, text the password (or paste into a Signal chat, or hand-deliver). If both go through the same email thread, an attacker who compromises one channel has both. This is the single most-skipped step in everyday encrypted-file sharing — encryption is wasted if you bundle the key with the ciphertext.
7. Save the password somewhere safe. Password manager preferred. A typed note in your password-manager's secure notes field is fine. A sticky note on your monitor is not. The "I forgot the password" failure mode is the most common way protected PDFs become useless — and there is no workaround when it happens.
8. If your PDF is already password-protected. The tool refuses with a clear "already protected" error. The right workflow: Unlock PDF (with the existing password) to remove the old password, then come back here to set the new one. Two clicks, both explicit, no hidden re-encryption.

How ScoutMyTool compares to Smallpdf, iLovePDF and PDF2Go

All four offer PDF password protection. The meaningful differences are: encryption strength on the free tier (AES-128 vs AES-256), whether the encryption strength is even disclosed, and free-tier daily quotas.

Third-party encryption-strength claims, free-tier caps, and feature gating taken from each vendor's public product pages as of May 2026 and may change. AES-128 is still considered cryptographically strong for current and foreseeable threat models, but AES-256 is the higher-security choice and what every modern recommendation (NIST SP 800-131A) prefers for new deployments.

One honest tradeoff: the ScoutMyTool tool supports an open-password only (single password to open the file). Smallpdf and iLovePDF Premium tiers expose a second permission password that lets a user open the file but restricts what they can do (printing, copying, editing). The two-permission model is part of the PDF specification (ISO 32000-1 §7.6.4 "Public-Key Security Handlers"²) but is widely considered weak in practice — readers respect it voluntarily, and many do not. For real usage-control, you want DRM, not the PDF permission flag.

Five things to know about choosing the password

• Length beats complexity. A 20-character lowercase passphrase is mathematically stronger than a 12-character mixed passphrase, and easier to remember.
• Random is stronger than chosen. Password-manager auto-generated passwords are essentially impossible to crack; human-chosen passwords cluster around patterns that crackers exploit (NIST SP 800-63B explicitly recommends against composition rules and instead recommends length + screening against known-bad lists).
• Avoid anything you have used before. If your email password leaks (database breach), the attacker now tries that password on every file they find with your name on it.
• Pass it through a different channel. Email the file, text the password — or vice versa. Never the same channel.
• Save it before you share it. The "I encrypted the file, sent it, then forgot the password" mistake is hard to recover from — for everyday business documents you might just re-export from the source, but for one-off legal or signed originals there is no path back.

Related PDF tools on ScoutMyTool

• Protect PDF — the tool this guide is about: add an AES-256 password to a PDF.
• Unlock PDF — remove a password (required first if you want to change an existing password).
• Permanent Redaction — for sensitive content where encryption is not enough.
• Sign PDF — drop a signature on the file before protecting.
• Compress PDF — shrink the file to fit under the 50 MB encryption cap.
• Split PDF — break into <50 MB chunks if the source is too large.
• Merge PDF — recombine encrypted chunks before sending.

Frequently asked questions

What kind of encryption is this — and is it actually strong?

AES-256 — the same Advanced Encryption Standard cipher used by banks, the U.S. government for TOP SECRET data, and Adobe Acrobat for its highest security tier. AES-256 is standardised as NIST FIPS 197 and is considered unbreakable by brute force against a long password with today's and any foreseeable computing technology. The vulnerability is not the algorithm; it is the password. A 4-character lowercase password is trivially crackable (260,000 combinations — minutes on a modern GPU); a 16-character mixed-case-digit-symbol password has more entropy than the universe has had time to enumerate.

What does the password actually protect against?

A password-protected PDF blocks people who DON'T have the password from opening, copying text from, printing, or extracting the content. It does NOT protect against people who do have the password — they can read, screenshot, copy-paste, print, OCR-bypass the print, or forward the file freely. PDF encryption is a "lock the door" measure, not a "make the contents disappear" measure. For documents where you also need to control what authorised recipients can do, you need a DRM-style solution (digital rights management) rather than file-level encryption, which is in a different category of tool entirely.

What happens if I forget the password?

There is no recovery. AES-256 is one-way once the password is forgotten — the file cannot be opened, the password cannot be reset, and no support team can "unlock" it because the encryption key is derived directly from your password (PBKDF2 with thousands of iterations, per ISO 32000-1 §7.6.4). Save the password somewhere safe before sharing the file — a password manager, an encrypted note, a printed copy locked in a drawer. The "I lost it" failure mode is the single most common way password-protected PDFs become useless.

Is my PDF uploaded to your server?

For this specific tool, yes — encryption uses qpdf server-side because shipping a 30 MB AES-256 implementation to every browser would balloon page load. Your PDF is uploaded over HTTPS, encrypted with your password in a per-request temp directory, the encrypted output is streamed back, and the temp files are deleted immediately after the response is sent. We don't archive uploads, train models on them, or share them. If you have an extreme privacy requirement (state-secret level), do the encryption locally with a tool like Acrobat Pro, qpdf CLI, or PDFtk; for everyday password protection of contracts, invoices, and HR documents, the upload-and-immediate-delete pipeline is fine.

What's the file size limit?

50 MB per file. If your PDF exceeds that, run it through Compress PDF first (image-heavy documents shrink 3–5× at default quality with no visible loss) or split into chunks under 50 MB with Split PDF, encrypt each chunk separately, and merge the encrypted chunks back together. The 50 MB cap is a guard against runaway server resource usage during the encryption pass.

Can I re-encrypt an already-protected PDF with a new password?

Not in one step. The tool refuses already-encrypted inputs with a clear error message — silently round-tripping would either fail (the source content streams are unreadable without the existing password) or succeed in a way that strips your existing password without explicit consent. The right workflow: run the existing-password PDF through Unlock PDF (you will need the existing password) to remove encryption, then run the unlocked copy through Protect PDF to set a new password. Two clicks, both explicit.

What length / complexity should the password be?

For everyday business documents, 12+ characters with a mix of uppercase, lowercase, digits, and a symbol is a strong floor. For sensitive documents (legal, medical, financial), 16+ characters. Long-but-memorable passphrases ("correct horse battery staple") are stronger than short-but-complex ones (the seminal XKCD #936 cartoon is the cultural shorthand for this; the underlying math is in NIST SP 800-63B). Avoid: dictionary words by themselves, sequential keyboard runs (qwerty), birthdays, names, and any password you have ever used for another account.