How to password-protect a PDF properly

A PDF password is useful when a file must travel through email, shared storage or a ticket system that is not the final access boundary. Proper encryption means the document contents are unreadable without the password. It is different from a viewer preference that merely asks people not to print or edit; those permission flags may not be enforced consistently by every PDF application.

FeelPDF's Protect PDF tool applies AES-256 encryption in the browser. The unprotected file and the password remain on the device during processing. That reduces exposure during the transformation, but the safety of the result still depends on password quality, how the password is delivered and what the recipient does after opening the file.

Use a password that is unique to this document exchange. A long passphrase made from unrelated words is easier to type and usually stronger than a short string with predictable substitutions. Do not use the recipient's name, birth date, invoice number or a password already used for an account. Those values are often available in the message or can be guessed from context.

A password manager can generate and store a random value when both sides use one. If the document must be retained, record the password in an approved secure system; an encrypted archive is not useful if nobody can open it a year later. For organizational records, follow the retention and key-recovery policy rather than inventing a private scheme.

Make sure the source contains only the pages intended for the recipient. Encryption does not excuse an accidental extra attachment or hidden spreadsheet. Run the protection task, save the output under a clear new filename and close the source. Then open the protected copy in a different PDF viewer. It should request the password before displaying page content.

Try an incorrect password once and then the correct one. Browse several pages, search for text and print only if printing is part of the required workflow. This test confirms that the file is both protected and usable. If the viewer opens it without prompting, stop and inspect which file you selected; sending the wrong copy is more common than a failure of modern encryption.

Do not place the password in the same email as the attachment. Anyone who obtains that message would have both pieces. Send the PDF by email and deliver the password through a known phone number, an encrypted messenger or an enterprise secret-sharing tool. Confirm the recipient's identity before using a new channel suggested in an unexpected message.

Avoid permanent public links to protected files when a time-limited authenticated share is available. Encryption is a layer, not a replacement for access controls. Remove old shared copies when the exchange is complete and consider whether the recipient needs a downloadable file at all.

Once an authorized person opens the PDF, they can often save a decrypted copy, take screenshots, photograph the screen or retype the information. Password protection is therefore access control for the file in transit and at rest, not digital rights management. Watermarks can discourage casual forwarding and identify a recipient, but they do not make copying impossible.

If the file contains information that should never reach the recipient, redact or remove it before encryption. If it needs proof of origin or tamper detection, use an appropriate digital-signature workflow. Encryption, redaction and signatures solve different problems and should not be treated as interchangeable checkboxes.