You're sending a bank statement to your accountant, a contract to a client, or a medical record to a specialist. The information is sensitive enough that you don't want it readable if it lands in the wrong inbox. The simplest protection: a password.
This guide covers how to password-protect a PDF for free without paying for Adobe Acrobat, what encryption to use, and when password protection is genuinely sufficient vs. when you need something stronger.
What "password-protected PDF" actually means
There are two separate password types in PDFs, and they protect against different things:
1. User password (open password / document password). The PDF can't be opened at all without the password. The contents are encrypted; without the password, no one can see even one page. This is the strong protection most people want when they say "password-protect this PDF."
2. Owner password (permissions / restrictions password). The PDF opens normally without a password — but certain actions (printing, copying text, editing, filling forms) are blocked unless the owner password is entered. This is very weak protection — easily bypassed by online unlock tools (covered in our unlock guide). Don't rely on owner passwords for security.
For real protection of sensitive data, set a user password. The owner password is mostly for politeness signaling ("please don't print this") rather than security.
How strong is PDF encryption?
Modern PDF encryption uses AES (Advanced Encryption Standard), the same algorithm used by banks and governments. The two relevant strengths:
- AES-128: Strong. Practically unbreakable by brute force with current hardware. Used in PDF 1.6+ (Acrobat 7+).
- AES-256: Stronger. Future-proof against advances in cryptography. Used in PDF 1.7+ (Acrobat 9+).
For everyday sensitive documents, AES-128 is enough. The math is overwhelming — even with a billion attempts per second, brute-forcing a strong AES-128 password would take longer than the age of the universe.
The weakness isn't the encryption — it's the password. A strong AES-256 cipher with the password "1234" cracks in seconds because the attacker just guesses common passwords, not because they crack the cipher.
The protection strength is dictated by your password choice, not the encryption level.
What makes a strong PDF password
The password itself does most of the security work:
| Password | Strength against attack |
|---|---|
1234 |
Cracked in milliseconds |
password |
Cracked in milliseconds |
MyDog2026 |
Cracked in days (dictionary + variations) |
Tr0ub4dor&3 |
Cracked in months (still in dictionary attack range) |
correct horse battery staple (4 random words, 30+ chars) |
Cracked in centuries |
8r#mNL2!pX9qZv (random 14 chars, mixed) |
Cracked in millennia |
Recommendation: use a random 14+ character mixed-case password OR a 4-word passphrase from random common words. A password manager generates either reliably.
What NOT to use:
- Birthdays, anniversaries, family names
- Common words alone
- Patterns from your keyboard ("qwerty", "asdfgh")
- Reused passwords from any other service
- Anything connected to information about you that's findable online
Sharing the password securely
The password is only as secure as the channel you share it over. Common mistakes:
Don't:
- Email the password in the same email as the PDF (defeats the purpose)
- Send the password in plain text via email even in a separate message (email is unencrypted)
- Send the password by text/SMS (carriers log SMS; phones can be lost)
- Share over WhatsApp / Messenger (recipient may have automatic backups, third-party access)
- Use a password the recipient already knows (their compromised account compromises your file)
Do:
- Use a password manager's secure-share feature (1Password, Bitwarden, LastPass have this)
- Tell the password verbally over phone/video (not recorded)
- Send via end-to-end encrypted messaging (Signal)
- Use a one-time-use password tool (yopass.se, password.link)
- Tell the recipient in person, then email/upload the PDF separately
The PDF goes one channel; the password goes another. That way, intercepting one doesn't expose both.
Step-by-step: free password protection
Method 1: Browser-based tool
Easiest for one-off protection:
- Open a PDF protection tool — e.g., PDFGrover's Protect PDF.
- Upload your PDF (or drag onto the dropzone).
- Choose a strong password (use a password manager to generate one).
- Optionally choose AES-128 vs AES-256 (default is fine for most uses).
- Click Protect.
- Download the encrypted PDF.
- Verify by closing it and trying to reopen — should prompt for the password.
For browser-based tools that process locally, your file isn't uploaded — the encryption happens in your browser.
Method 2: macOS Preview (built-in, free)
If you're on macOS:
- Open the PDF in Preview.
- File → Export As PDF.
- Click Show Details if not visible.
- Check Encrypt.
- Enter password (and verify).
- Click Save.
Preview's encryption is AES-128 with a strong password. The output is a fresh PDF; the original is untouched.
Method 3: Microsoft Word (if PDF originated as a Word doc)
If the source is a Word document and you'll re-export to PDF:
- Open in Word.
- File → Save As → PDF.
- Click Options.
- Check Encrypt the document with a password.
- Enter password.
- Save.
Works for any Office document being exported to PDF.
Method 4: Online tools that process server-side
Many online services offer protection but require uploading the file. Trade-off: convenience vs. file leaving your device.
If using one:
- Pick a service with a clear privacy policy stating files are deleted after processing
- Use HTTPS (lock icon in address bar)
- For very sensitive documents, prefer browser-based or desktop tools that don't upload
Common scenarios
Scenario 1: Send a single sensitive PDF to one recipient
- Encrypt the PDF with a strong password using any free method above.
- Email the encrypted PDF.
- Send the password via a separate channel (Signal, password manager, phone call).
- Confirm with the recipient that they could open it.
Scenario 2: Send sensitive PDFs to many recipients (newsletter-style)
Don't use one shared password — each recipient gets the same password = compromised once = exposed for all.
Better:
- Use a service that supports per-recipient passwords (most paid e-signature platforms do)
- Or send each recipient a uniquely-encrypted copy with a unique password
- Or use a secure portal where recipients authenticate to download
Scenario 3: Protect documents for your own archive
If the document is just for your personal records:
- Encrypt with a strong password.
- Store the password in your password manager.
- Save the PDF in your encrypted-folder backup (cloud storage with end-to-end encryption like Cryptomator, Tresorit).
Single point of failure: lose the password manager, lose access. Maintain backups of the password manager itself.
Scenario 4: Compliance-driven protection (HIPAA, GDPR, etc.)
Free password protection meets the minimum technical requirement for "encrypted at rest" in many regulations, but compliance often requires more:
- Audit trails (who accessed when)
- Per-user access controls (revocable)
- Centralized key management
- Logging of access attempts
For real compliance, use a regulated platform (e.g., DocuSign HIPAA-compliant tier, M365 Sensitivity Labels) rather than ad-hoc password protection.
When password protection is enough
Password protection is genuinely effective for:
- Personal financial documents emailed to your accountant
- Contracts shared with one or a few specific recipients
- Medical records sent to specific doctors/insurers
- Legal documents shared with your attorney
- Any "should not be readable if intercepted" use case
It's adequate when:
- You can share the password securely
- The recipient is competent enough to handle a password-protected file
- You don't need to revoke access after sharing
- You're not under regulatory rules requiring audit trails
When password protection isn't enough
Cases where password protection is the wrong tool:
- Documents you may need to revoke. Once shared with the password, you can't take it back. The recipient has the file forever.
- Documents shared with many recipients. Hard to manage one password per recipient; easy to leak.
- Documents needing access tracking. Password-protected PDFs don't log who opens them or when.
- Highly sensitive documents (state secrets, sealed legal records). Need air-gapped, government-approved tools.
- Documents requiring expiry. PDFs don't natively support "expires after X days" — once opened, the recipient can re-save without the password.
For these, look at:
- DocuSign / Adobe Sign envelope-level protection with audit
- Microsoft Purview / Sensitivity Labels (M365 environments)
- Privacy-focused secure file-sharing (Tresorit, ProtonDrive)
- Specialised secure document platforms (Mimecast, FileCloud)
Verifying after protection
Always verify before sending:
- Close the protected PDF.
- Open it fresh — confirm the password prompt appears.
- Enter the wrong password — should reject.
- Enter the right password — should open and let you view all pages.
- Try to copy text from a page — works (we set user password, not owner restrictions).
- Print preview — confirms printing works.
- Close, reopen — password is required again (didn't get cached).
If any of these fail, redo the protection with a fresh tool.
Common mistakes
Setting a weak password to make it easier for the recipient. Defeats the purpose. Use a strong password and share it via secure channel.
Sharing password and PDF in the same email. Anyone reading the email reads both. Different channels.
Forgetting your own password. Without a password manager, you can lock yourself out of your own document. Always store passwords in a manager.
Re-saving a protected PDF in another tool. Some tools strip encryption when re-saving. Verify the output is still encrypted.
Using owner password thinking it's protection. Owner passwords are easily removed. For real protection, use user (open) passwords.
Confusing the encryption level with the security. AES-256 with password "abc" is weaker than AES-128 with a 14-character random password. Password length and randomness do most of the work.
Quick reference
| Goal | Password type | Encryption | Sharing channel |
|---|---|---|---|
| Personal financial doc to accountant | User password | AES-128 | Password manager link |
| Contract to client | User password | AES-128 | Phone call for password |
| Medical record to specialist | User password | AES-256 | Encrypted email or portal |
| Restricted internal doc (no print/copy) | Both | AES-128 | Internal channels only |
| One-off file to friend | Optional | Any | Casual is fine |
Summary
Free password protection of PDFs is built into many free tools — macOS Preview, Microsoft Word's PDF export, and various browser-based services. AES-128 with a strong, randomly-generated password protects against any realistic attack on the encryption.
The weak link in PDF security is almost always the password (too short, common, reused) or the sharing channel (sending password in same email as the PDF). Pick a strong password, share it through a different channel, and the protection is genuine.
PDFGrover's Protect PDF tool encrypts PDFs in your browser for small files (no upload), supports AES-128 and AES-256, and doesn't add anything to the file. Generate strong passwords with your password manager and share via separate channels for end-to-end secure document handling.