๐ Delete PDF Password
Unlock a password-protected PDF right here โ 100% local, zero uploads.
Private by design โ your PDF never leaves your device.
Supports RC4 (40-bit & 128-bit) and AES-128 encrypted PDFs (PDF 1.1โ1.6).
What Does "PDF Password" Actually Mean โ and Why Removing It Is Sometimes the Right Call
There are two very different kinds of PDF passwords, and most people encounter them without realising they're not the same thing. The first is an open password (sometimes called a user password) โ the kind that blocks you from even opening the file. The second is a permissions password (owner password), which lets you open and read the document but silently prevents actions like printing, copying text, or editing. Both are stored as cryptographic hashes in the PDF's encryption dictionary, and both can, under the right circumstances, be legally and practically removed by the document's owner.
The scenario this tool is built for: you created or received a PDF, you know the password, but the constant re-authentication is becoming a friction point. Maybe it's a scan of your own tax return, a bank statement you've already downloaded, or a work document you need to batch-print from a system that chokes on encrypted files. Entering the password once to get a clean, unrestricted copy is a completely reasonable thing to want.
How PDF Encryption Actually Works Under the Hood
When you password-protect a PDF, the application doesn't simply lock a file with your password as a key. Instead, it runs your password through a multi-step derivation process โ originally specified in the PDF standard going back to version 1.1 โ to generate a separate file encryption key. That key is what's used to encrypt the actual content: every text stream, image data, and embedded object gets scrambled individually.
Older PDFs (up to version 1.5 or so) typically use RC4 encryption, either with a 40-bit key (very weak, PDF revision 2) or a 128-bit key (revision 3). PDF 1.6 introduced AES-128 in CBC mode (revision 4), which is considerably more robust. PDF 1.7 extended this further to AES-256, though that's a different algorithm path entirely.
The key derivation for standard PDF encryption involves padding your password to exactly 32 bytes using a well-known padding sequence from the spec, then running an MD5 hash over that padded password combined with the owner-password hash, the permissions flags, and the file's unique ID. For revisions 3 and above, this MD5 step repeats 50 times to slow brute-force attacks. The resulting bytes become the file encryption key used for RC4 or AES operations on every individual object.
To verify that you've got the right password, the spec defines two verification algorithms. For RC4, the encryption of a known padding sequence with the derived key should match the stored U (user) value. For AES, it's a similar challenge-response using the file ID. This is exactly what happens when you enter a password here โ the tool checks your answer against the stored verification data before touching a single byte of content.
The "Owner Password" Situation โ What It Means for Permissions-Only Locks
Here's something that surprises people: a PDF can have an owner password without a user (open) password. In that case, the file opens freely โ no password prompt โ but certain operations are disabled. The encryption is still real; the file key is derived from an empty user password combined with the owner password hash, and the permissions flags are cryptographically protected.
What this means in practice is that the "permissions" enforced by an owner password are only enforced by PDF reader software that respects them. The spec itself acknowledges this โ it describes the permissions as an advisory mechanism, not a security boundary. Even so, many workflows depend on those flags, and stripping them (if you have the right to do so) is a legitimate operation.
Why Client-Side Processing Matters for Sensitive Documents
A document protected by a password is, by definition, sensitive. Uploading it to a third-party server to have the password removed means trusting that server's security posture, their data retention policies, and their staff access controls โ none of which you can verify. This is not a hypothetical concern: financial documents, legal agreements, medical records, and HR files routinely end up in password-protected PDFs, and those are exactly the documents you shouldn't be handing to a random web service.
Running the decryption in your browser eliminates that risk entirely. The file stays on your device. The JavaScript engine in your browser handles the cryptographic operations locally, and nothing is transmitted. The unlocked file is generated in memory and offered as a direct download. If you close the tab, it's gone.
What Encryption Versions This Tool Supports
This tool handles the most common PDF encryption formats encountered in documents created between roughly 1998 and 2015: RC4 40-bit (PDF 1.1โ1.3), RC4 128-bit (PDF 1.4โ1.5), and AES-128 (PDF 1.6). The underlying algorithms โ MD5 for key derivation, RC4 for stream decryption, and AES-128 in CBC mode โ are all implemented from scratch in pure JavaScript with no external libraries.
PDF 1.7 AES-256 (revision 5 and 6) uses a completely different key derivation scheme based on SHA-256 rather than MD5, and that's outside the scope of this tool. If you have a newer PDF created by Acrobat XI or later with 256-bit AES, you'll need a desktop application like qpdf, Ghostscript, or Adobe Acrobat itself. Most PDFs from banks, government portals, and typical business software still use AES-128 or RC4-128, though, so this covers a wide practical range.
The Legal and Ethical Picture
Removing a PDF password is legal when you own the content or have authorisation from the owner. Creating an unlocked copy of your own bank statement, a contract you signed, or a document you authored is no different from making a photocopy. What you can't legally do is remove password protection from someone else's copyrighted content to bypass distribution controls โ the same rule that governs other DRM circumvention in many jurisdictions.
The tool has no way to know whether your use is authorised; that's between you and the law. But the password requirement itself is part of that check โ if you know the password, you presumably have legitimate access to the document.
Frequently Asked Questions
What Happens to the Original File?
Nothing. This tool reads the file into browser memory, processes a copy, and offers the decrypted version as a new download. Your original file on disk is completely untouched. The tool never writes back to any file on your device โ browser security restrictions make that impossible without explicit save dialogue interaction.