Securing your important PDF documents with a password can be a great way to ensure your privacy remains unbroken – until you lose, or forget the password.
pdfcrack is a simple command line utility that will attempt to crack the password of any PDF file with a single command, if used the right way, and on files you have permission to crack.
Cracking PDF passwords might not be legal in your country; you should always check for laws and legislation before attempting to do anything of the sort.
Also, pdfcrack is meant to be used on files you own or have obtained permission to crack from the owner. You must never use password cracking software such as this to obtain passwords of protected documents you don’t have the permissions for or for illegal means.
The following information is provided for educational purposes only – to help users recover documents they own or have obtained permission to crack. The author or anybody representing Make Tech Easier are in no way responsible for the way readers will use the information provided here.
pdfcrack is readily available from most Linux distros’ main repositories. On Debian (and so Ubuntu) derivatives, you can install it with
sudo apt-get install pdfcrack
To crack the password of a PDF file you own, or have permission for, you can use the command
pdfcrack -f filename.pdf
Password cracking is a long and tedious process. pdfcrack will attempt to crack your file with a series of words (combinations of characters) which can take a long time, especially since it appears to be a single threaded process utilizing only one CPU core regardless of your setup.
Besides using only one core, the single CPU will be run at one-hundred percent for the full duration of the cracking.
To speed up the process, you can feed pdfcrack with a subset of characters to try, using the
-c option. The below example would use the letters ‘a’, ‘b’, ‘c’, ‘d’, ‘e’, ‘f’ and numbers ‘0’, ‘1’, ‘2’, ‘3’, ‘4’.
pdfcrack -f filename.pdf -c abcdef01234
This could help if you have a rough idea of what your password looks like, e.g. when you use a few regular passwords to secure your files, but you are unsure which one it is, or you’re afraid you have misspelled one (twice) at the time of setting it up.
If you are afraid of your CPU getting damaged by the heavy use, you can cancel the process at any time (Ctrl + C). pdfcrack will attempt to save the state of the process,
and you can later resume the crack from the saved file with the
-l switch. The default file name for saving is “savedstate.sav.”
pdfcrack -f filename.pdf -l savedstate.sav
You can also set a minimum or maximum length for the attempted passwords. This is useful when you know you always use a password longer or shorter than a given length.
To set the minimum length, use the
-n=LENGTH flag. For example, to only check for passwords longer than five characters you can use
pdfcrack -f filename.pdf -n=5
To set the maximum length, use the
-m=LENGTH. For example, to only check for passwords shorter than ten characters, you can use
pdfcrack -f filename.pdf -m=10
You can of course combine the options. To check for passwords shorter than ten characters but longer than five and only containing the letters “a, b, c, d, e, f,” use
pdfcrack -f filename.pdf -m=10 -n=5 -c abcdef
Using these options have the potential to give it a considerable performance boost if used the right way.
Other options include using a word list (
-w), working with an owner password (
-o) or a user password (
-u, although this is the default behaviour), or providing a user password to ease the process of obtaining an owner password (
-p). Permutation (
-s) is currently limited to switching the first character to uppercase.
You can also use
-b to perform a benchmark to have an idea of how well pdfcrack might perform
To see how all the options work, just type
pdfcrack, and it will print its usage.
For testing purposes, a small sample PDF file was created with LibreOffice Writer 4.4 in two versions. The first version had a random seventeen-character long password with a combination of upper and lower case letters, numbers and non-alphanumeric characters. The sort of password even the most paranoid security geek would decide was “acceptable”.
pdfcrack proceeded with attempting to crack the password for many minutes.
Unfortunately the test had to be canceled as the CPU’s temperature eventually reached 69°C/156°F despite all the cooling attempts (oversized fans, water, cold beer), and any damage for the AMD chipset at that temperature was considered unworthy for seeing how well pdfcrack might perform.
For the second attempt a shorter and much simpler password – “crackme” – was given. pdfcrack delivered the result in under fifteen minutes.
On the third attempt a subset of characters – “a,c,d,e,k,m,r,p,t” – was specified, containing all the characters of the actual password and then some. The result was almost instantaneous.
Of course it is only good to err on the too many characters side. If you don’t provide enough, the password could never be cracked, and the missing characters would never be tried.
The last attempt will probably represent a more realistic scenario where you know the sort of passwords you usually use for your documents, but you’ve forgotten which one the PDF was secured with (if it’s your own document, you should probably know such details), and you can help the password cracker guess for you.
A little trick to speed things up further
pdfcrack is single threaded, meaning it will not be able to use multiple CPU cores, yet you can use bash to run multiple instances simultaneously. If you are uncertain which options to use, or if you have multiple guesses as to the successful setup, this trick would save you some time and effort.
In the following example, three instances are started at once. One is a simple command with no options, the second one includes a subset of letters (which of course includes all the letters of the password “crackme”), and the last one uses a different subset of characters with an option to only check for words longer than five characters. Simultaneous execution (multiple processes, not multiple threads) will be achieved by the
pdfcrack -f testpdf.pdf & pdfcrack -f testpdf.pdf -c rkmetacti & pdfcrack -f testpdf.pdf -c hjktr -n=5
This will start three processes running on three separate cores
As the snapshot below shows, one of the commands has in fact found the right password very quickly, but the other two kept on trying, so it’s worth keeping an eye on the output.
Another way to make sure this happened would be to filter
atop output to only show
pdfcrack. When one of the processes disappears, it probably means it has found a password.
Once you’ve found the password, or if you wish to terminate the run, you need to make sure all started processes die. The easiest way to ensure this would be to use
from another terminal window.
pdfcrack is a simple tool to recover lost passwords of your PDF files or of files you have permission to crack (if regulations allow, of course). It cannot be used to alter any permissions set in the PDF but only to crack a password. While it would eventually discover the most elaborate password, this could take a very long time. With a little knowledge (of your own password setting habits) and setting appropriate options, the process could be considerably set up. So whether you forgot or just mistyped your password while setting it up, you can easily recover them with this single command.