2

I've been messing around with qpdf, and noticed something that seems huge: that a document's Owner Password is essentially useless, as it can be easily unset, and therefore that only the User Password offers any real security for a PDF.

For example, when I set a User Password and an Owner Password on a PDF:

qpdf --encrypt "zeus" "zeussecurity" 128 --modify-other=n --extract=n --annotate=n --form=y --use-aes=y -- "Unsecured.pdf" "Secured.pdf"

...all that's needed to unset both of them is the User Password:

qpdf --decrypt --password=zeus Secured.pdf Secured_decrypted.pdf 

When I set only an Owner Password on a PDF:

qpdf --encrypt "" "zeussecurity" 128 --modify-other=n --extract=n --annotate=n --form=y --use-aes=y -- "Unsecured.pdf" "Secured.pdf"

...I'm able to unset it without a password at all:

qpdf --decrypt Secured.pdf Secured_decrypted.pdf

Notice that qpdf is not a brute-forcing program and this all happens in less than a second, so this isn't a case of password strength - the passwords are simply being bypassed entirely.

Is this normal behaviour for the security on a PDF, or some sort of bug/edge case that I've run into?

Hashim Aziz
  • 969
  • 8
  • 21

1 Answers1

4

Yes, that's normal. Only the user password offers any real security; the owner password is pure snake oil (thanks Adobe). I'll make the same comparison I always make: if the owner password actually worked as advertised, it would be equivalent to effective DRM, which is well-known to be impossible.