Remove Password From PDF Bank Statement (SBI/HDFC/Axis)
Remove the password from SBI, HDFC, Axis, ICICI, and Kotak PDF bank statements in your browser. No upload, no signup. Default password formats explained.
- The 30-second answer
- Why bank statements arrive password-protected
- Default password formats by bank (SBI, HDFC, Axis, ICICI, Kotak, PNB, IndusInd, IDFC FIRST)
- Is it legal to remove the password?
- Step-by-step: remove the password in your browser
- What if the password does not work
- Why "no upload" matters for bank documents
- After unlock: storing and sharing safely
- Quick reference: eight banks at a glance
- Frequently asked questions
The 30-second answer
If your bank statement opens with a password prompt, the password is a fixed format the bank set the day they emailed it. SBI uses your date of birth as DDMMYYYY. HDFC uses the first four letters of your name in capital letters plus DDMM of your date of birth. Axis, ICICI, and IndusInd use the same name-plus-DDMM convention. Once you know the format, you can either keep the file locked or strip the password layer entirely so you don't have to type it every time you reconcile your accounts.
This guide covers the exact password format for the eight most-mailed Indian banks, the legal status of removing the password from a statement you own, and how to do it in your browser without uploading anything to a third-party server. The unlock tool at /unlock-pdf runs entirely in your browser using PDF.js and a WebAssembly worker — you can confirm zero network calls in DevTools while it runs.
Why bank statements arrive password-protected
The Reserve Bank of India's master direction on outsourcing of IT services (April 2023, updated October 2024) requires regulated entities to encrypt customer data at rest and in transit. When a bank emails you a monthly e-statement, the simplest enforcement of that requirement is a static user password derived from data only you and the bank know — usually a combination of your date of birth, your name, and sometimes your customer ID.
The encryption is real. Indian retail banks ship PDFs with AES-128 encryption (AES-256 for newer corporate statements), and Adobe Reader, Foxit, and pdf.js all refuse to render the page content until the correct password is supplied. If you forward the file to your chartered accountant or your spouse, they will need the same password to open it.
The password is not protecting the bank from you. It protects the bank from a leaked email server, a stolen laptop, or a misforwarded thread. Once the file is in your hands and none of those scenarios apply, you can remove the password layer and store the unlocked statement wherever you like.
Default password formats by bank
Every Indian retail bank publishes the password format on a public support page. The formats below cover auto-mailed monthly e-statements. On-demand statements pulled from a banker portal sometimes use a one-time password printed on the same screen — that case is out of scope here.
State Bank of India (SBI)
Format: DDMMYYYY of date of birth.
Example: A customer born on 15 March 1985 → 15031985.
Source: SBI customer-support page on e-statement password (sbi.co.in support portal, last updated November 2024).
HDFC Bank
Format: First four letters of customer name in uppercase + DDMM of date of birth.
Example: Rajiv Kumar born 7 August 1990 → RAJI0708.
If your first name has fewer than four letters (e.g., "Ravi"), HDFC pads with the next letter from the surname or uses the full first name — the support article specifies the padding rule for short names.
Source: HDFC e-statement help page.
Axis Bank
Format: First four letters of customer name in capitals + DDMM of date of birth.
Example: Priya Sharma born 22 February 1992 → PRIY2202.
For some legacy account holders, Axis still uses customer ID + DDMMYYYY. If the name-based format does not work, try CUSTID + DDMMYYYY.
Source: Axis Bank password reset page.
ICICI Bank
Format: First four letters of customer name in uppercase + DDMM of date of birth.
Example: Anita Verma born 11 January 1988 → ANIT1101.
Source: ICICI Bank "How do I open my e-statement" FAQ.
Kotak Mahindra Bank
Format: First four letters of name in caps + DDMMYY (two-digit year).
Example: Suresh Patel born 5 May 1980 → SURE050580.
Source: Kotak customer service e-statement page.
Punjab National Bank (PNB)
Format: 16-digit PNB account number for most account types.
Source: PNB "Accessing E-Statement" guideline.
IndusInd Bank
Format: First four characters of name in uppercase + DDMM of DOB. Same convention as HDFC and ICICI.
IDFC FIRST Bank
Format: First four characters of customer name in uppercase + DDMMYY of DOB.
Example: Meera Pillai born 19 June 1985 → MEER190685.
For banks not listed above, the password rule is almost always printed in the email body that delivered the statement. Search the email for "open this PDF" or "password" — it is the same boilerplate the bank's mailer sends every month.
Is it legal to remove the password?
Yes, for your own statement. Section 65 of the Information Technology Act, 2000 covers tampering with computer source documents — but the offence requires intent to cause damage to a third party. Decrypting your own statement to read it on your own laptop falls outside that section.
What is not legal: removing the password from someone else's statement, or distributing an unlocked statement that contains a third party's account information. If your CA needs your statement, send it to them with the password — or unlock it on your own machine and re-encrypt with a password your CA can use.
For income tax filings, the e-filing portal accepts both password-protected and unlocked PDFs. Most CAs ask for the unlocked version because their workflow scrapes data with parsers that cannot handle the encryption layer. Tally and Zoho Books importers also reject encrypted PDFs.
Step-by-step: remove the password in your browser
PDF Mavericks runs the entire decryption flow inside your browser tab. The file is held in memory, decrypted with PDF.js plus a WebAssembly worker, and re-saved as a plain PDF. Nothing uploads.
- Open /unlock-pdf in any modern browser (Chrome, Edge, Firefox, Safari). No app install, no account, no email signup.
- Drag the locked statement into the dropzone, or click Choose file.
- Type the password using the format from the previous section. The password field shows a dot pattern and never leaves the page.
- Click Unlock. Decryption runs locally — verify by opening DevTools (F12), switching to the Network tab, and confirming there are zero outbound requests during the unlock.
- Click Download to save the unlocked PDF. The original locked file on your disk is unchanged; the download is a fresh copy with the password layer removed.
A 12-page statement decrypts in under 2 seconds on a 2020-era laptop. A 200-page statement (e.g., a corporate account year-end PDF) takes around 8 seconds. The bottleneck is your CPU, not the network — which is the point.
What if the password does not work
Three common causes, in order of frequency:
Wrong format. Confirm the bank from the email "from" address, not from the statement filename. Banks do not change the format mid-year, but customer migrations between bank entities (HDFC + HDB merger in 2025, IDFC + Capital First merger in 2018) sometimes flip the format for a billing cycle.
Date of birth on file is different. If you opened the account with one DOB and updated it later via re-KYC, the e-statement may still use the original DOB on the bank's core banking record. Check your account-opening form or your last successful net-banking challenge question.
File is corrupted. A PDF that was forwarded as inline content (instead of as an attachment) sometimes loses the trailer dictionary needed for decryption. Ask the bank to resend, or download the original from net-banking.
If none of the above works, the bank's support line can issue a one-time password for that specific statement. SBI, HDFC, and Axis all expose this on their IVR — option for "e-statement password reset."
Why "no upload" matters for bank documents
A locked PDF on your own device is end-to-end private — only you have the password. The moment you upload that PDF to a website that promises to remove the password, two things happen:
- The server now has the encrypted PDF. If the password derivation is predictable (DDMMYYYY can be brute-forced in milliseconds on modern hardware), the operator can read the statement.
- Most server-side unlock tools log the file. The privacy policy may say "files are deleted after 30 minutes" — but that is the operator's promise, not a verifiable property.
The browser-only model removes both risks. If the page never makes a network request after the file enters memory, the file cannot be read by anyone except you. That is a property you can verify in DevTools, not a promise.
This matters more for bank statements than almost any other document type. A leaked statement reveals salary, EMI obligations, rent payments, lifestyle spend, and counter-parties — exactly the data set an identity thief or social engineer needs to clone your financial profile.
After unlock: storing and sharing safely
Decide where the unlocked PDF lives.
For your own records, keep the unlocked file in an encrypted folder (BitLocker on Windows, FileVault on macOS, LUKS on Linux). Do not drop it into a generic Google Drive folder shared with multiple people.
For your CA or financial planner, send the unlocked file via end-to-end encrypted channels (Signal, ProtonMail, encrypted Zoho WorkDrive). Plain email attachments are fine if your CA's mailbox is on a domain you control or your employer controls; otherwise prefer a secure share link with an expiry.
If you want to keep a password but a stronger one than the bank's default, re-encrypt with /password-protect-pdf. Pick a 16-character random password from a password manager — anything you can memorise is too weak for a document that contains your account number.
When to NOT remove the password
Three cases where leaving the password on is the better call:
- The PDF will be stored on a shared computer (family laptop, office machine) — keep the encryption.
- The PDF is going to a service portal that accepts password-protected uploads (most ITR e-filing flows do).
- You suspect device compromise — leave the password on while you investigate.
For everything else, the convenience of an unlocked file beats the marginal security of a six-character bank-default password.
Quick reference: eight banks at a glance
Same example customer for all rows: Rajiv Kumar, born 7 August 1990, account number 1234567890123456.
| Bank | Password format | Example |
|---|---|---|
| SBI | DDMMYYYY | 07081990 |
| HDFC | First 4 of name (caps) + DDMM | RAJI0708 |
| Axis | First 4 of name (caps) + DDMM | RAJI0708 |
| ICICI | First 4 of name (caps) + DDMM | RAJI0708 |
| Kotak | First 4 of name (caps) + DDMMYY | RAJI070890 |
| PNB | 16-digit account number | 1234567890123456 |
| IndusInd | First 4 of name (caps) + DDMM | RAJI0708 |
| IDFC FIRST | First 4 of name (caps) + DDMMYY | RAJI070890 |
Save this table. It is the same one your bank's customer-service rep reads from when you call to ask why the file won't open.
Your statement never leaves your browser
PDF Mavericks runs PDF.js plus a WebAssembly decryption worker entirely on your device. No file is uploaded to any server. Verify in DevTools → Network panel: zero outbound requests during unlock.
Frequently asked questions
Is it legal to remove the password from my own bank statement PDF?
Yes. Section 65 of the Information Technology Act, 2000 covers tampering with computer source documents only when there is intent to damage a third party. Decrypting your own statement to read or store it on your own device is outside that section. What is not allowed is unlocking someone else's statement or distributing an unlocked statement that contains a third party's account data without consent.
What is the default password for an SBI bank statement PDF?
SBI uses your date of birth in DDMMYYYY format with no separators. A customer born on 15 March 1985 enters 15031985. The format is published on the SBI customer support portal under e-statement password help and applies to monthly auto-mailed statements for retail savings and current accounts.
What is the default password for an HDFC bank statement PDF?
HDFC uses the first four letters of your customer name in uppercase, followed by your date and month of birth in DDMM format. A customer named Rajiv Kumar born on 7 August 1990 enters RAJI0708. The same convention is used by ICICI, Axis, and IndusInd, so once you have one decoded the rest follow the same pattern.
Will my bank statement get uploaded to a server when I unlock it on PDF Mavericks?
No. The unlock runs entirely in your browser tab using PDF.js plus a WebAssembly worker. The file is held in memory, decrypted locally, and offered for download. You can verify this by opening DevTools (F12), switching to the Network panel, dragging the file in, and confirming there are zero outbound requests during the unlock step.
Can I unlock a corporate or current-account bank statement the same way?
Yes, the encryption layer is the same AES standard whether the statement is for a savings account, current account, or corporate account. The password format may differ for corporate accounts, where the bank often uses the customer ID instead of date of birth. Check the email that delivered the statement, where the bank prints the exact format in the body.
What if my CA cannot open the unlocked PDF I sent?
Two common causes: the unlocked PDF was opened in a viewer that re-applies the password from cache, or the file was zipped after unlock and the zip viewer scrambled the trailer. Re-download the unlocked copy directly from the unlock tool, attach the PDF (not the zip) to a fresh email, and ask your CA to confirm the file size matches what you uploaded. If they still see a password prompt, the original file is being attached instead of the unlocked copy.