Monday, March 9, 2009

Choosing the Right Password for your PDF file

Choosing a good password for your PDF file in Solid PDF Tools Scan to PDF can be hard. However, Bruce Schneier reminds us that choosing a bad password has real-world consequences:

February 27, 2009


Wikileaks has cracked the encryption to a key document relating to the war in Afghanistan. The document, titled "NATO in Afghanistan: Master Narrative", details the "story" NATO representatives are to give to, and to avoid giving to, journalists.


The encryption password is progress, which perhaps reflects the Pentagon's desire to stay on-message, even to itself.

Although your data may not be as sensitive as NATO's, tools exist that can crack trivial passwords in a reasonable amount of time. Cracking a trivial password can take as little as hours because trivial passwords are dictionary words that are 8 characters or less. Using a strong password can take months or even years to crack.

How do you make a strong password? First, let's start off with what makes a strong password:

1. You can somehow remember it (we'll touch on this later). If you make your document inaccessible to yourself you have missed a huge point in security, that is securing the document for yourself.

2. It contains uppercase and lowercase letters, numbers and symbols.

3. It is at least 8 characters long (8-16 is good enough in many cases and 14 can be easiest if you can memorize two 7 character parts separately).

Now, how do you go about coming up with this password?

First, come up with a unique phrase you can easily remember. For an example (i.e. don't use this) we'll use:

The quick brown fox jumps over the lazy dog

Next, take the first (or last, or second, whatever you prefer) letter from each word:

T q b f j o t l d

Now, look for letters that can be easily swapped with numbers (in this case zero for o and one for l):

T q b f j 0 t 1 d

And finally add in a symbol or two that makes sense based on what is happening (> after quick, ^ after jumps):

T q> b f j^ 0 t 1 d

Remove the spaces and you now have a strong password:


(Again, we recommend that you not use this example)

Once you've done this you may want to read or sing this in your head a couple times. Don't worry about being out of key; the point is that you want to memorize it the same way that you memorized the alphabet or the latest potato chip commercial. After that, start using the password frequently (once or twice a day) and it should memorize itself.

What about passwords for things you don't open regularly?

Assuming you don't have a photographic memory (most of us don't) you have two options:

1. Store the password in a utility designed to encrypt and archive passwords (such as Password Safe or Password Gorilla. Then you only need to protect one file (the encrypted archive of passwords) and memorize the password for the archive.

2. Write down the password and store it with your money.

People tend to be careful with their money, so this option is better than you might think.

Have any thoughts on this or other PDF security issues? Feel free to contact us or let us know in the comments.