Is it safe to use online "unlock PDF" services for bank statements?

No. Uploading an encrypted bank statement plus its password to a generic third-party service hands a copy of your statement and the key to a stranger with no contractual constraint on what they do with it. We have seen the same site appear under three different domains in two years. Use Adobe / Preview / your browser for one-off viewing, or a tool that decrypts in memory without retaining the file.

Can a bank PDF password be brute-forced?

Effectively no. Bank statements use AES-128 or AES-256 encryption with a key derived from the password. Brute-forcing AES-128 is not feasible on consumer hardware, and tools that claim otherwise either only attack very weak dictionary passwords or are stripping the owner-password (which is a different and much weaker access control). Don't waste time or money on this; re-download from online banking instead.

What's the difference between user password and owner password?

User password (also called encryption-on-open or document-open password) actually encrypts the file with AES; without it, no software can render the contents. Owner password only sets permission flags (no copy, no print) inside an otherwise readable PDF; almost any PDF library can ignore those flags. Banks use the user password type for real protection; the owner password offers no meaningful security.

I typed the password correctly but it still says wrong. Why?

Three common causes: (1) whitespace or leading-zero stripping (SSN 0042 must be typed as 0042 not 42); (2) UTF-8 encoding mismatch on accented or special characters typed on a non-US keyboard at password-set time; (3) a two-layer XFA-form encryption where the outer layer opens but the inner form data has separate access controls. The XFA case is bank-specific; for Chase business statements, re-downloading in the PDF (not XFA PDF) format option from the portal usually fixes it.

What about scanned encrypted statements?

PDF encryption applies regardless of whether the contents are scanned or text-native. Once decrypted in memory, the parser path is the same: scanned files go through vision OCR, text-native files go through direct extraction, and both paths run the running-balance reconciliation before producing the export.

May 14, 2026 · 9 min read

Password-protected bank statement PDFs: how to convert them safely without uploading the password to a stranger

Q: Do you log my PDF password?

No. The password is sent over TLS with the file, used once to decrypt the PDF in memory on the parser worker, and discarded. It is not written to disk, not logged, not retained in any session, not echoed back in any API response, and not visible to support. The audit trail records that decryption happened (a boolean flag) but never the password value.

Most banks ship encrypted statement PDFs by default. The conversion is easy when you have the password and impossible when you don't, but the part that matters most is what happens to the password during the conversion itself.

Most US and UK banks now ship statement PDFs that won't open until you type a password. Some are emailed encrypted as a security measure when the bank can't be sure of the recipient's mailbox; others come from the online-banking portal with a password you set yourself; a third class encrypts everything by default unless you opt out. The encryption itself is fine, that is what it's for. The problem is what happens at conversion time.

If you upload an encrypted PDF and a password to a generic online "unlock PDF" service, you have just given a stranger your bank statement and the key to it. The conversion ran and gave you a clean spreadsheet, sure, but a copy of the file (and the password) now sits on someone else's server with no contractual constraint on what they do with it. This is the most common avoidable security mistake we see in our support inbox: the user got their conversion done quickly, and they will not realise the cost until later, possibly never.

Here is how the encryption types break down, what the actual conversion options are, and what to do when the password isn't what you think it is.

Two encryption types, very different implications

Encryption-on-open. The PDF is encrypted with AES-128 or AES-256 using a key derived from the password. Without the password, no software can render the file at all. The PDF reader prompts you for the password the first time, decrypts in memory, and shows you the contents. This is what almost all bank statement PDFs use. It's real encryption, in the cryptographic sense, and that is good.

Owner-password restriction. The PDF opens without a password, but printing, copying, or extracting text is blocked unless you provide an "owner password." This is much weaker. The owner password lives in cleartext in the PDF's permission flags, and any PDF library can ignore it (Adobe famously honours it; almost everyone else does not). Banks rarely use this on customer-facing statements; when they do, it doesn't actually protect anything.

If your file opens but won't let you copy text, that is the owner-password kind, and any conversion tool will read it without you supplying anything. If your file won't open at all without a password prompt, that is the encryption-on-open kind, and you genuinely need the password.

What banks use as the default password

For statements emailed encrypted (rather than downloaded from the portal), most US and UK banks use a deterministic default unless you've changed it in account settings. The patterns we see most often:

Chase mailed statements: last 4 digits of the SSN, sometimes plus the 2-digit birth year for newer accounts.
Bank of America portal-downloaded statements: typically not encrypted unless you opted in. Encrypted ones use a self-set password from online banking, not a default pattern.
Wells Fargo: portal downloads are unencrypted; mailed eDelivery statements use a self-set password set during eDelivery enrolment.
Citi: typically last 4 of SSN for legacy accounts, customer-set for accounts opened in the last few years.
American Express emailed statements: customer-set during paperless enrolment, no default fallback.
Barclays UK: typically a 6-digit memorable PIN set in online banking, not a default.
HSBC UK: customer-set during eStatement enrolment, no default; if you forgot it, you have to re-enrol.
Capital One, Discover, USAA, Navy Federal, PNC, US Bank: portal downloads are unencrypted; the encryption-on-open variant only applies to specific email-delivery enrolments and uses customer-set passwords.

If your bank isn't in this list and you can't remember setting a password: the safest path is to log into online banking and re-download the statement. Portal downloads are almost always unencrypted, even when emailed copies are.

What conventional "unlock" tools actually do

Adobe Acrobat / Apple Preview / browser PDF viewer. Prompt for the password, decrypt in memory, render. They do not save a decrypted copy unless you explicitly Save As. This is the reference-standard safe path for one-off viewing. The downside: there's no batch flow, and you still need to either retype every transaction into Excel or run a separate conversion step on the (still-encrypted) original.

Free online "unlock PDF" sites. Upload the encrypted file plus the password to their server, get back a decrypted PDF. The decryption itself works, but you've handed a copy of your bank statement and its password to a third party with no DPA, no retention policy you can enforce, and often no clear ownership. We have seen the same site appear under three different domains in two years; do not use these for financial documents. Ever.

Browser print-to-PDF re-save trick. Open the encrypted PDF in your browser, go to Print, choose "Save as PDF" instead of a printer. The output is unencrypted because it's a re-render, not the original file. This works for simple statements but breaks on documents that use XFA forms or have embedded JavaScript (some Chase business statements, certain Wells Fargo combined-product files), and you lose the source PDF's metadata, which matters in any compliance or audit context where the file's provenance has to be preserved.

Command-line tools (qpdf, pdftk). Genuinely safe because they run locally. qpdf --decrypt --password=PASS input.pdf output.pdf produces a decrypted copy you can then run any extractor against. The downside is that you're creating an unencrypted artefact on disk, which negates part of the security model the bank set up; treat that file like the original and shred it after extraction.

What our pipeline actually does

When you upload an encrypted PDF, the dropzone detects the encryption flag and prompts for the password inline before the file leaves the browser's memory in any uploadable form. The password is sent over TLS in the same request as the file, used once to decrypt the PDF in memory on the parser worker, and discarded. It is not written to disk, not logged, not retained in any session, not echoed back in any response, and not visible to support. The decrypted in-memory representation is what runs through the extraction and reconciliation pipeline; it never gets persisted as a decrypted file. Once the conversion finishes and the JSON result is returned, the worker process loses the password and the PDF together.

The audit trail records that decryption happened (a boolean flag in the conversion log), but never the password value or even a hash of it. This matters in two contexts. First, in any QC or regulator-facing review where someone needs to reproduce the conversion: they will need the password too, the same way the original conversion did. Second, in any user-side incident-response scenario: you can confidently tell auditors that the password did not get cached anywhere on our infrastructure, because it is not in any of our infrastructure.

What to do when the password doesn't work even though it's right

Three specific situations cause "but I typed it correctly" password failures:

Whitespace and case mismatches. SSN-based defaults are exactly four digits with no leading zeros stripped: a SSN ending in 0042 needs to be typed as 0042, not 42. Birthday-based defaults are MMDDYY, not MMDDYYYY, and not the European DDMMYY. Caps Lock matters in self-set passwords more often than people remember.

Encoded characters. Some self-set passwords containing non-ASCII characters (accented letters, symbols typed on a non-US keyboard) end up encoded differently in the password-prompt UTF-8 string than they were when set. The fix is usually to set a new password from online banking using ASCII-only characters and re-download.

XFA-form encryption layers. A small number of bank PDFs (some Chase business statements, certain HSBC UK combined files) use a two-layer encryption: an outer layer that the password unlocks, plus an inner XFA form whose data nodes have separate access controls. The PDF opens with the password but the transaction data still won't extract. The fix is bank-specific; for Chase it's usually re-downloading the file from the portal in the "PDF" (not "XFA PDF") format option.

When you don't have the password at all

Brute-forcing an AES-128 PDF password is not feasible. Online tools that claim otherwise are either lying, only attacking very weak passwords from a known dictionary, or stripping the owner-password (which doesn't apply here). Don't waste time on this and do not pay for "PDF password recovery" software targeting bank documents.

The path that actually works is: log into online banking and re-download the statement, which will arrive without a password (portal downloads are usually unencrypted even when emailed copies are encrypted). If you no longer have account access (closed account, deceased estate, contested divorce), the bank can produce a fresh certified copy on request, with no encryption, in the same format the institution would produce under subpoena. Both paths take longer than a brute-force fantasy but they actually work.

In a litigation or discovery context (opposing-counsel productions, asset-tracing engagements), the right move is to flag the encrypted file in the discovery log and request the unencrypted version through the same channel that produced it. A protective order may already cover this; if not, encrypted files are reasonable grounds for a clarifying request. The deeper protocol around handling opposing-counsel PDFs lives on the forensic accountants page and in how forensic accountants detect altered bank statements.

After decryption, the reconciliation still applies

An unencrypted statement is not a verified statement. The PDF being readable says nothing about whether the row set will sum to the printed ending balance, whether the parser handled the layout correctly, whether a row got dropped at a page break, or whether the statement was altered after the bank produced it. The running-balance reconciliation runs on every conversion regardless of encryption status, and a Verified badge on a previously-encrypted file means exactly the same thing it means on an open one: Σ(transactions) equals (ending − beginning) within a penny. The seven causes that produce a failed reconciliation, broken down in the balance-mismatch field guide, all apply to decrypted files too.

For the audience-specific operational specifics — how loan officers handle borrower files arriving in mixed encrypted / unencrypted formats, how bookkeepers process client batches with per-client passwords, how family-law attorneys handle encrypted disclosure productions — the four vertical pages have the workflows: lenders, bookkeepers, divorce attorneys, forensic accountants.

Convert an encrypted statement — password used in memory, never logged, 15 free pages no card