PDF encryption explained: 128-bit vs 256-bit
Whenever you add a password to a PDF, your app shows a number: 40-bit, 128-bit, 256-bit. Most people pick whatever's default, hit save, and move on. That's fine — but it's worth 5 minutes to understand what you're choosing, because “secure PDF” means surprisingly different things depending on which number you get.
What the numbers actually mean
The numbers refer to the length of the encryption key, in bits. A key is a random string used together with the cipher to scramble content. The longer the key, the more possible combinations an attacker would have to try to guess it.
- 40-bit: 2⁴⁰ ≈ 1 trillion combinations. Sounds huge, but a modern computer brute-forces this in seconds.
- 128-bit: 2¹²⁸ ≈ 3.4 × 10³⁸. Beyond any realistic brute-force attack, now or in the foreseeable future.
- 256-bit: 2²⁵⁶ ≈ 1.15 × 10⁷⁷ — more than the number of atoms in the observable universe.
In other words: 40-bit is broken, 128-bit is safe in practice, 256-bit is safe by a ridiculous margin.
A brief history of PDF encryption
PDF 1.3 and 1.4 — RC4 with 40-bit and 128-bit keys (1996–2003)
Early PDFs used the RC4 stream cipher. RC4 has since been shown to have significant weaknesses (key-related biases, not relevant to the PDF use case specifically, but it's a retired algorithm). The 40-bit version is trivial to break and should never be used.
PDF 1.6 — AES-128 (2005)
Introduced AES (the Advanced Encryption Standard), which is the gold-standard symmetric cipher used in VPNs, disk encryption, and secure messaging worldwide. AES-128 here means a 128-bit key under AES.
PDF 1.7 ExtensionLevel 3 / ISO 32000-2 — AES-256 (2008, formalized 2017)
Current state of the art. AES-256 with a proper password-strengthening function (PBKDF2 with many iterations, or equivalent). This is what any modern PDF tool defaults to.
What about quantum computers?
A future large-scale quantum computer would reduce AES's effective strength roughly by half (via Grover's algorithm): AES-256 would behave like a 128-bit cipher under quantum attack, AES-128 like a 64-bit one. In practical terms, AES-256 is considered quantum-resistant enough; AES-128 is probably still fine for anything you wouldn't need to keep secret for 30+ years. For most personal and business use, it doesn't change much — but it's a reason to prefer 256 where available.
Why the password still matters more than the cipher
Here's the uncomfortable truth: no matter how strong the encryption algorithm is, if the password is weak, the file is weak. Attackers don't actually try all 2²⁵⁶ combinations — they try common passwords first, then dictionary words, then patterns. That's called a dictionary attack, and it's what turns a “256-bit encrypted” PDF with password summer2024 into a 10-minute exercise.
AES-256 with “password123” is less secure than AES-128 with a 14-character random password.
A good password is:
- Long. At least 14 characters, 16+ is better.
- Unpredictable. Not a dictionary word, not a birthday, not a name + year.
- Unique. Not reused from another account or document.
The easy way: let your password manager generate one, and store it there.
What about the “owner password”?
PDFs support two passwords:
- User password (open password): required to view the document. The content is encrypted; without this password, the file is gibberish. This is the one that provides real protection.
- Owner password (permissions password): required to change permissions like printing or copying. The document itself is not encrypted against viewing — it only tells compliant readers to hide certain options. A non-compliant reader will ignore the flags.
The owner password is useful but it's not “encryption” in the protection sense. If your goal is to keep content private, the open password is the one that matters.
How to check what encryption a PDF uses
On macOS, open the file in Preview → File → Get Info → Encryption tab. On iOS there's no built-in reader that exposes this cleanly, but a decent PDF tool will show it before or after encryption. Look for “AES” in the algorithm name and “128” or “256” in the key length.
Encrypt with AES-256 on iPhone
Unlock my PDF uses iOS's native Core Graphics encryption (AES-256 when supported by the device). Strong by default, on-device only.
Download on the App StoreFrequently asked questions
Is 256-bit twice as strong as 128-bit?
Exponentially more. Each extra bit doubles the keyspace. 256-bit is 2¹²⁸ times harder to brute-force than 128-bit — which is already beyond practical reach. In everyday terms, both are “unbreakable by brute force” in any realistic threat model; 256 just has much more margin.
Can the NSA / a state actor break AES-256?
There's no public evidence of a practical attack on properly implemented AES-256 today. The realistic threat isn't the algorithm — it's weak passwords, leaks from the endpoints (your computer, the recipient's phone), or compromised backups.
What about the PDF itself — does it leak metadata?
A standard PDF encrypted with an open password keeps content (text, images, form fields) encrypted, but some metadata (file size, number of pages, sometimes title and author) may still be visible depending on the encryption mode. For maximum privacy, strip metadata before encrypting.
If the password is so important, why not skip the encryption and just use a very long password?
A password without encryption is just a flag — anyone with the right tool ignores it. You need both: real encryption and a strong password.
Bottom line. 256-bit AES is the modern default and there's no good reason to use anything weaker. But before worrying about bit lengths, fix the password first: a strong, unique, 14+ character password will protect you against every realistic attack. Everything else is margin.