Adobe made a critical change to the algorithm used to password-protect PDF documents in Acrobat 9, making it much easier to recover a password and raising concern over the safety of documents, according to Russian security firm Elcomsoft.Elcomsoft specializes in making software that can recover the passwords for Adobe documents. The software is used by companies to open documents after employees have forgotten their passwords, and by law enforcement services in their investigations.For its Reader 9 and Acrobat 9 products, Adobe implemented 256-bit AES (Advanced Encryption Standard) encryption, up from the 128-bit AES encryption used in previous Acrobat products.The original 128-bit encryption is strong, and in some cases it would take years to test all possible keys to uncover a password, said Dmitry Sklyarov, information security analyst with Elcomsoft. But Elcomsoft said the change in the underlying algorithm for Acrobat 9 makes cracking a weak password — especially a short one with only upper and lower case letters — up to 100 times faster than in Acrobat 8, Sklyarov said. Despite using 256-bit encryption, the change to the algorithm still undermines a document’s security.Adobe acknowledged the encryption algorithm change on its security blog. The company said brute-force attempts — where tens of millions of password combinations are tried in hopes of unlocking the document — could end up figuring out passwords more rapidly using fewer processor cycles. The changes were made to increase performance, Adobe said. But Sklyarov said that even with the 128-bit encryption algorithm used in Acrobat 8, the application responds quickly to both correct and incorrect password entries.“There is no rational reason why they did that,” Sklyarov said.Despite the change, there is a way to keep documents secure: When setting a password, people should use a combination of upper and lower case letters and other special characters, such as quotations marks, Sklyarov said. If special characters are used, the password should be no less than eight characters. If only letters are used, it should be at least 10 to 12 characters, he said.Adobe imparted the same advice. “With a longer phrase and more diversity of characters, there are many more permutations to guess,” according to the blog. The company also recommended that the security of documents can also be enhanced by additional access controls such as smart cards and biometric tools. Related content news Arm patches bugs in Mali GPUs that affect Android phones and Chromebooks The vulnerability with active exploitations allows local non-privileged users to access freed-up memory for staging new attacks. By Shweta Sharma Oct 03, 2023 3 mins Android Security Android Security Mobile Security news UK businesses face tightening cybersecurity budgets as incidents spike More than a quarter of UK organisations think their cybersecurity budget is inadequate to protect them from growing threats. By Michael Hill Oct 03, 2023 3 mins CSO and CISO Risk Management news Cybersecurity experts raise concerns over EU Cyber Resilience Act’s vulnerability disclosure requirements Open letter claims current provisions will create new threats that undermine the security of digital products and individuals. By Michael Hill Oct 03, 2023 4 mins Regulation Compliance Vulnerabilities opinion Cybersecurity professional job-satisfaction realities for National Cybersecurity Awareness Month Half of all cybersecurity pros are considering a job change, and 30% might leave the profession entirely. CISOs and other C-level execs should reflect on this for National Cybersecurity Awareness Month. By Jon Oltsik Oct 03, 2023 4 mins CSO and CISO Careers Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe