FastPDFconverter
All posts
4 min read

The tax document I emailed in plain sight (and the three minutes it would have taken to fix that)

I forwarded my W-2 and 1099s to my accountant without a password and didn't think twice. Then I remembered: email isn't encrypted end-to-end. Those files are sitting on mail servers right now.

Last February I forwarded my W-2, two 1099s, and a summary sheet with my Social Security number on it to my accountant. Hit send without a second thought. It wasn't until that evening, reading something unrelated, that the thought landed: standard email is not end-to-end encrypted. Gmail, Outlook, whatever your provider is — those messages pass through servers, get indexed, get cached, and in some configurations can be read by people other than the intended recipient. My documents with my SSN on them were just... out there.

I can't unsend that email. But every sensitive document I've sent since then has had a password on it. Here's what I've learned about doing it right.

Two kinds of PDF password — and you probably only need one

PDF security has two distinct layers people often confuse. The first is an open password, also called a user password — this prevents anyone from opening the file at all without entering a passphrase. The second is a permissions password, sometimes called an owner password — this lets anyone open the file but restricts what they can do with it, like printing or copying text.

For most personal use cases — sending tax documents, medical records, contracts, anything with personal data — you want the open password. The goal is that an intercepted file is unreadable without the key. Permissions passwords are more relevant for businesses distributing read-only reports where they want to prevent editing.

The rule that actually makes the encryption useful

Sending a password-protected file and the password in the same email defeats the entire purpose. If someone intercepts the email, they have both. The whole point is that an attacker who gets the file doesn't have the key.

Send the file by email. Send the password by text message, phone call, or a separate messaging app. Your accountant gets a brief heads-up text — 'password for the PDF is: [password]' — and the file arrives separately. It takes about thirty extra seconds and the security difference is significant.

When you need to remove a password later

You'll eventually need to unlock a PDF you protected — maybe to print it, merge it with another document, or hand it to someone who needs unrestricted access. Most tools that let you add a password also let you remove one, as long as you know the existing password. Keep a note of passwords for documents you might need later. Losing the password to a file you actually need is a real problem.

Other documents worth protecting before you send them

  • Medical records, lab results, or insurance explanation of benefits — anything with a diagnosis or treatment history
  • Scanned ID documents: passport, driver's license, anything with a document number
  • Signed contracts with bank account details, routing numbers, or payment terms
  • Pay stubs showing your full salary and employer information
  • Any form with a Social Security number or taxpayer ID on it

The common thread: if this file sat on a stranger's desk for ten minutes, what could they do with it. If the answer involves identity theft or fraud, the file should have a password before it travels anywhere.

The Protect PDF tool on this site adds an open password and encrypts the file in your browser — nothing is uploaded to a server. Set the password, download the protected file, send the password through a different channel.