4-dial combination padlock: Is it more secure to zero it out or to blindly spin the dials after locking?
I am partially responsible for some resources protected by a 4-dial combination lock like this one:
There are two things that people will usually do after they've locked it:
- reset all the digits to 0, so that the combination reads 0000, or
- mash around on the dials a bit so that the combination reads something else.
I have a strong feeling that there is no functional difference between the two, but I am encouraged to set a best practice. So, assuming that the lock has a random combination and is practically unbreakable without entering the correct combination, which approach is more secure?
With a pick from Kevin Mitnick's Lock Pick Business Card (I have two, one undone) and watching a video to learn how, anyone can pick a 175d in a few seconds.... don't worry about how you reset the dials.
If you are actually **responsible** for valuable resources, get rid of that lousy lock **immediately**, replacing it by a proper high-quality tamper-resistant padlock, or a proper safe, depending on the value. It makes no sense to use a lousy lock that anyone can break within 30min. Worse still, many such combination locks can be broken within 1 minute if you know how, as *Chris Johns* sketches in his answer.
If a thin metal leaf can be inserted between the dials it would be easily picked
These locks (and combination locks in general) are perilously insecure, usually due to exploits that have nothing to do with guessing the combination.
AndrolGenhald's thumb must be bigger than mine, which covers two wheels. So I typically move the left two wheels, then the middle two, then the right two – varying direction – and repeating the cycle a few times.
@Michael you got it backwards: always leave the combo set, and since nobody would believe you left it unlocked, they'll always lock while trying to unlock :-)
you might want to put it close to a "false set" if you expect a skilled attacker; if you can get them to accept a wrong first digit, the rest of the attack time will be squandered.
For some reason I have a briefcase for medical things (bandages, assortment of tablets etc) and it has a code "0000". I don't know how I feel about this post.
@user21820: Why? I was always under the impression locks exist for the sole purpose of providing evidence to the insurance that the stolen items were protected. Ever since I've become aware of bump keys I've lost all trust in keys. Sure, they're a deterrent for amateurs, but for someone with the dexterity and experience in lock picking mechanical locks pose no problem at all.
@0xC0000022L: I think that's a ridiculous reason. Firstly, how is the insurance company going to check that the broken lock is actually the lock that was 'protecting' the stolen items? Secondly, and most ironically, if you claim that these locks pose no problem at all, then insurance companies could very well treat the stolen items as not protected, by your own claim. After all, every lock can be literally broken by a sufficiently powerful tool, without being 'broken'. =P
@0xC0000022L: My point was simply that the lock or whatever security you employ should have cost of breaking on par with the value of what it is protecting. From the sound of it, the asker is responsible for some 'rather' valuable resources, and using such a lousy lock is very disproportionate.
@user21820: 'fraid your "30 minutes" comment is a dangerous overestimate. It's close to 15 seconds, really; a safe designed to withstand burglary without being checked by a guard every 30 minutes must be UL-rated as TL-30. Here's an interesting video from the rating lab: https://youtu.be/OtbGUbeM860. It's quite an expensive unit; the so-called B or C "rated" safes (which lack a defined test procedure, so just buzzwords) do not hold for 15 minutes. We had a C-rated one open in about 10 min by a safesmith when the combination was lost. He used a handheld power drill alone.
@kkm: Apparently you didn't even finish reading my comment before starting your own. I said 1 min.
@0xC0000022L Only locks without security pins can be bumped or raked, otherwise the only real option is single pin picking. While some people make it look easy, the reality is that this requires significant practice and skill. There are exotic designs like the Abloy keyway that are known to be exceptionally difficult to pick. No security is perfect, but real locks are _much_ better than you think they are.
Not sure if there are more secure variants of these kind of locks, but the ones that I sporadically encountered throughout my life where _very_ easy to brute-force. It didn't require any sort of tool, putting some tension on the locking mechanism, and then trying-out combinations did the trick every single time.
Having thought about this for a week, it's going to make no difference. With 10,000 combinations, one being the opener, there are 9,999 others which just won't work. Leaving the combination anywhere will be just as 'safe', as 0000 is as random wrong as another 4-digit number. Plus, as far as colleagues are concerned, finding 0000 again is going to be seen as a waste of time for some, rightly so, and they won't bother. What consequences could there be?
In theory zeroing or any predetermined sequence is more secure as you could, in theory make a guess at how far someone might move the dials.
It is also conceivable that if you were able to check the state of the dials when locked on enough different occasions then you could narrow down the likely combination if it is being reset in a similar manner each time.
In practice this is probably a bit far fetched and anything with a combination lock probably has larger concerns eg the combination being known by too many people or the fact that any number between 1950 and 2018 plus the birth years of moderately famous people is probably a fairly good guess.
Having said that there may be operational advantages in having combinations set to zero as it gives a clear unambiguous guideline and it is easy to visually check that the lock is secure without the person doing the checking needing to know the combination, especially if actually physically checking that the lock is closed is problematic eg opening it sets off an alarm. You could also argue that adding the extra step of zeroing creates more of a routine and so makes it less likely that people will forget to set the lock at all, although this is admittedly debatable.
For example if you have a night security guard you could just ask them to check that all locks are set to 0000 which is both easy to do and verifiable.
It also gives an (admittedly weak) check that the locks haven't been tampered with, here a more arbitrary sequence would be better.
For example if you set all your locks to 2375 when you leave and the sequence is different when you get back you know that someone has been messing with them.
You should also be aware that some types of combination dial lock are very trivial to pick as you can often feel when each dial engages by quickly cycling through each dial or by probing from the outside. Equally a 4 dial lock only has 10,000 (10^4) possible combinations and you can often systematically go through combinations very quickly.
This answer is the best because it considers actual security, not just cryptographic security of the numbers themselves.
4 dial lock takes relatively long time to through all combinations, most locks on the market are 3 dial, which are very fast to open just by systematically checking all combinations. 3 dial locks should not be used for anything except child's play. Of course, any dial lock is never very secure.
If you can sift through passwords on a 4-digit lock at 1 per second, it would still take max three hours to crack. But one of those locks that you turn back and forth (Like on a locker) has 40 numbers and three digits. It takes 5 seconds per try, making it last max 100 hours. Plus, one of those locks can be left on any number without fear of making it easier to crack.
@RedwolfPrograms: you probably should redo your math. Dial locks usually have some tolerance built into the system, so dialing adjacent numbers would usually still work.
@RedwolfPrograms you should be able to go a lot faster than 1 per second, even if you cannot feel the pin engagement or insert a pick.
@OrangeDog I used 1 second, to account for the fact taht some locks require you to push on the lock or pull a lever to open, which can take a few seconds. Plus, my above calculations were maximum times
@TeroLahtinen especially if your 4-dial lock is set to detonate everything after 5 straight failures!
If we assume one try takes 1 second, then 3 dial lock takes only about 8 minutes to break (on average, worst case *2), whereas one 4 dial lock takes an hour and 23 minutes. Two 3 dial locks were common in briefcases, it take only twice the time of one i.e. on average 16 minutes, one 4 dial lock is much better.
I like the security guard aspect of this because they can verify security without needing the code themselves.
@TeroLahtinen: For whatever reason, most manufacturers of digit-dial locks fail to guard them against some relatively fast, and easy, and common exploits. I would guess that the digit-dial locks have such a reputation for weakness that people who care about security won't even consider them, and those who don't care about security wouldn't be willing to spend extra to fix the weaknesses.
@supercat maybe the purpose of dial locks in general is just to help honest people stay honest, not really stop malicious people.
@TeroLahtinen Some dial locks have a vulnerability where simultaneously trying to dial and open the lock will provide some feedback telling you if an individual dial is in the correct position. This allows the lock to be opened faster than brute force.
*the birth years of moderately famous people is probably a fairly good guess.* - is this really a common combination? I can't recall the birth year of any famous people at all.
@RedwolfPrograms, what LieRyan said about single-dial locks. The ones I'm familiar with have 60 digits, 3 numbers, and 3 digits of play; so 20 possibilities to the power of 3; so 8000. (Slightly fewer because the second number doesn't have all 20 possibilities, nor does the third, but it'll be close.) At 5 seconds = 720 attempts per hour, that's about 11 hours. (I have no idea whether 5 seconds is accurate. I heard there was a team at one of the big conventions/expos that built a robot to crack these, but I don't know what their times were.)
@LieRyan: What dial locks were you dealing with? The ones on the lockers where I went to high school reliably refused to open unless you got the combination _exactly_ right. (Half the time they didn't open then, either, but I'm pretty sure that was due to my locker being overstuffed and binding the latch mechanism rather than due to the lock itself.)