Most people are familiar with the standard “open” password. We use open passwords all day to access online accounts. In fact, you might encounter password “road blocks” so often that you cringe about reading an entire blog post about them! But if you care to probe the nooks and crannies of nuanced PDF file protection, keep reading.
Like safes, bank accounts and websites, a PDF file can also have an open (user) password. We try to open a PDF file, a box pops up, and we can’t see the content until you type the secret code. But behind the scenes, PDF security has a second, more specialized layer: the Owner Password (also known as the Permissions Password).
If the User Password is the key to the front door, the Owner Password is the “Admin” access to the building’s controls.
One PDF, Two Keys
So, every secured PDF can have two distinct passwords assigned to it. Understanding the difference is crucial for document security and workflow management.
- The User Password (Document Open Password) controls access. If this is set, no one can view the content without it.
- The Owner Password (Permissions Password) controls capabilities. Even if a user can open and read the file, the Owner Password dictates what they are allowed to do with it.
Just because you have a User Password and can open a file, doesn’t mean you necessarily have full access to the file (unless you cheat).
An Owner Password protects the “Master” version of the file. You can share a master-passworded document freely, knowing that the “User” experience is restricted to viewing only, while you retain the power to unlock the full features whenever necessary.
When you apply an Owner Password, the PDF is encrypted. To change any PDF settings later, you must provide the Owner Password.
Owner Password + Permission Flags
An Owner Password is used by document creators to protect the integrity and intellectual property of their work. When you set an Owner Password, you can toggle specific restrictions on or off:
- Printing: You can block printing entirely or limit it to low-resolution only by choosing to block only “Hi-Res print.”
- Copying: This prevents users from highlighting text or images and copying them to their clipboard.
- Modify: You can lock the text so it cannot be altered.
- Assembly/Page Manipulation: This prevents users from rotating, inserting, or deleting pages within the document.
- Annotation/Form Annotation: Maybe disallow users to sign the document, highlight text, add sticky notes, or provide feedback without risking the integrity of the original content. Keep in mind your stamp is technically an annotation so blocking this might help prevent users removing the stamp – but it depends on the PDF writing library.
- Form Filling: This allows users to interact with the document by typing into text fields, selecting dropdown options, or checking boxes without granting them permission to alter the actual design or text of the PDF. You can also specifically enable or disable the ability for users to digitally sign the document, which is essential for contracts and official applications. If your application requires formal digital signatures (not just typing a name in a box), you often have to allow Annotations as well, as signatures are technically a type of annotation.
Here’s more information from PDF Ink documentation about how to set these PDF document permissions.
Example use of Permissions Blocking
For most business use cases (like sending an invoice or a contract), we’d usually use this combination:
- Allow: Printing, Accessibility (Extract), and Form Filling.
- Block: Content Copying and Modification.
This ensures the document is useful and accessible but protected from “accidental” edits to the fine print.
How the Security Works (and Its Limitations)
It is important to understand that Owner Password security is only as strong as the software used to view the PDF. Standard viewers like Adobe Acrobat, Preview, or Microsoft Edge respect these “flags” and will gray out the print or copy buttons. However, some third-party PDF lock “removers” or specialized viewers–and even some browsers–simply ignore PDF permission flags because they aren’t required to respect the rules. If you need better security where the user cannot see the content at all without authorization, you should use a User Password, and then consider hiding content such as invisible watermarks or metadata inside your PDF for tracking.
Best Practices & Considerations
A PDF Must “Show up Unlocked” to PDF Ink
Everything starts with an unlocked (no Owner Password, or password provided) file.
In order for the free parsers included with PDF Ink to parse your PDF file, it must be unlocked (unencrypted). This candidate file will have no owner password and no user password.
If you upload a PDF with a User Password or File Protections (copy/print/modify/etc blocked) to PDF Ink, remember — that file is encrypted! PDF Ink will not be able to read/parse it until it is unencrypted. In the meantime, you will only see an error.
An Exception to this Rule
An exception to this rule is possible if you are using a paid, upgraded PDF parser like FPDI PDF-Parser or SetaPDF-Stamper, which allow you to submit an owner password for the PDF so it can be un-encrypted for manipulation. The file will then have the original owner password re-applied before it is delivered to the consumer.
All unlocked files where an owner password has not been specified in the settings will be assigned a random owner password by PDF Ink. Each delivered file will have its own random password. You can override that behavior by either setting a global owner password, a per-product owner password, or by using a filter hook – pdfink_filter_owner_password – included in PDF Ink.
Always Store the Master Key (Owner Password)
If you are generating thousands of PDFs programmatically, you might not want to use a unique, random string for every file unless you are storing that string in a database. In the PDF Ink “Owner Password” settings you can save a strong owner password that will be applied to all your PDFs. If you care to, you can occasionally update that password.
If you want to set a unique password per order, using an order number and maybe the customer’s name, you could use a filter hook to set the password:
function filter_pdf_owner_password( $owner_password, $settings ) {
// $settings['uid'] will likely be an order ID, which you can get data from
// return altered $owner_password; this is a crude example
return md5( $settings['uid'] );
}
add_filter( 'pdfink_filter_owner_password', 'filter_pdf_owner_password' );The code above is just an idea to get you started. Of course you would want to add a secret prefix or suffix to the md5’d string in order to make it less hack-able!
Keep track of your owner passwords — PDF Ink does not do that for you unless you have set one in the PDF Ink settings. In that case they will be stored encrypted in your WP database.
If your PDF files have a password and you KNOW the owner password, they can still be handled using FPDI PDF-Parser or SetaPDF-Stamper (two upgraded parsers available for PDF Ink). Usually if a PDF is passworded (user) it cannot be opened by a PDF parser like FPDI or TCPDI. If you provide FPDI PDF-Parser or SetaPDF-Stamper the owner password (PDF Ink will do that for you), the file can be opened for manipulation, then re-locked using the same owner password.
Risk of Losing the Owner Password
If a customer needs to legitimately edit a document later, and you’ve lost the unique owner password, that PDF is effectively “frozen” forever.
Don’t Break Accessibility
One of the most common mistakes is disabling the “Extract” or “Content Extraction for Accessibility” flag.
- The Consequence: If you disable this, screen readers for the visually impaired will be unable to read the document aloud. That’s not nice.
- The Fix: Don’t include
extractin your restriction array unless absolutely necessary.
Encryption Levels Matter
In order to add passwords and protections to a PDF, the PDF must be encrypted. PDF Ink allows RC4 and AES Encryption up to 256 bit. The higher the encryption level, the more demand on your server. 40-bit RC4 encryption might be easier on your server, but it is no longer considered secure. 40-bit encryption can be cracked in seconds by modern computers.
Always aim for AES-128 or AES-256 if you have robust hosting and your server can handle the heavy load of applying encryption (not to mention fonts, graphics, and maybe HTML) to your PDF.
While no permission flag is 100% unhackable, AES encryption makes it exponentially harder for automated tools to tamper with your document. In otherwords, the permissions settings aren’t really enforceable, but if the document is well-encrypted, they cannot be removed.
Side note: Don’t assume your chosen library set handles the ‘boring’ stuff like version numbers. If you are applying modern AES-256 encryption to an older PDF (version <1.7), SetaPDF will automatically upgrade the file version for you, whereas TCPDF might require you to manually ensure the output is set to PDF 1.7 to avoid viewer errors. FPDI spares you the pain since it does not offer AES encryption.
“Honor System” Reality Check
It is crucial to explain to clients that Owner Passwords are an advisory lock, not an unbreakable vault.
Well-behaved PDF viewers (Adobe Acrobat, Chrome, Firefox) will honor the “No Printing” or “No Copying” flags. However, many open-source viewers and “PDF Password Remover” websites simply ignore these metadata flags. If the user can open the file, they technically have the data.
“Setting an owner password is like putting a ‘Please Don’t Touch’ sign on a museum exhibit. Most people will follow the rules, but if someone really wants to touch it, the sign won’t physically stop their hand. For a real ‘Do Not Touch’ policy, you need a glass case—and in the PDF world, that’s a User Password.”
Use permission flags for workflow control, but use a User Password if the data is truly classified. This keeps users out of the file entirely unless they have the password.