For users of any current versions of Acrobat (Pro, Cloud, or similar versions), securing a PDF attachment with a password is relatively simple. You open the File menu, select properties, navigate to the “securities” tab, and change the document security settings by clicking add “password security”. From here, you can add a password to open the document, print the document, do assembly functions, or restrict editing. You can choose whichever options you want (just keep in mind that you want your user to be able to do what they need to do also).
The issue in security comes when the sender includes the password with the “secured” document, for example, in the same email to which the document is attached and stating the password in the body of the email or, similarly, texting the document and including the password within the body of the text.
In order to secure the integrity and password-encryption of the PDF attachment, the password must be sent or communicated to the recipient under separate cover. For example, the sender can transmit the secured/encrypted PDF in a generalized/non-descriptive email and then call the recipient and tell/fax the password to the recipient. Similarly, a sender can mail a “secured” PDF that is saved to a disc, flash drive, or other similar device, and, contemporaneously, but under separate cover or mode of transmission, communicate the password to the recipient.
The basic idea and principle behind this concept of “secured/encrypted” communication is (as I call it) “to sever the head from the body”: if the password gets into the wrong hands, it is useless without the encrypted document; likewise, if an encrypted document ends up in the wrong hands, it is useless without the password.
So, regardless of whichever methods you choose to separate the “secured/encrypted” documents or information from the passwords to enable access to the same, just make sure to keep the information and the passwords separated. Likewise, if you are “securing” information in an attachment, do not replicate or restate that “secured” information in the body of the communication unless the entire communication is “secured/encrypted”. Otherwise, your efforts will likely be an exercise in futility.
As a final note, remember to keep a log or record of the passwords you create, as they relate to the encrypted document, so that you don’t end up “securing” documents from your own access (locking yourself out of your own documents). If you end up doing this, your exercise in futility will likely end up as an exercise in self-inflicted due diligence.