My son got a new lock for school yesterday, it’s a Master Lock model 1500i.  As opposed to the classic twist dial, this new modern lock has a joystick sequence to open.  Push the bar: Up, Down, Left, Right then pull to open.  He brings it home; hey dad, look at this shiny new lock!  As a computer programmer, my immediate response is “wow, that’s not much key space”!

Default password is 4 steps of 4 actions = 4**4 possible combinations = 128 possibilities.  On average it will take only half of that to brute force the key so this lock is “pretty open”.  One entry every 10 seconds means about 10 minutes of hard effort and the lock is done.

Note: It’s plenty good for the school, but stick with me on the idea.

Combination is user settable

Being from a security minded family, my son changes the password so that it now has 5 positions!   This multiplies the key space by 4 giving conceptually 512 combinations and raising the average brute force to 256!

Would it be better with 10 actions?  Sure, but this is rather like telling people to have longer passwords, eventually you can’t remember it and it takes a really long time to enter.

Comparison to classic locks

I went to the store at lunch today and bought a classic dial lock master lock.  This one has  3 number selections in range of 0..39.  40**3 = 64,000 possible combinations.  Much better!  On average, I’d have to try 32,000 times to brute force.

Key space vs. usable keys

The classic lock has 40 numbers, but you can “miss by a bit” and the lock will still open.  This means that the 40 positions aren’t really 40.   There is also the thing that the last number can really be tried continuously while rotating the dial, so you can bring down the key space really quickly.

Figuring it would be good to have an actual accurate number, I went looking.

The power of Google search found college class materials from Professor Traynor at Georgia Tech, which includes references to  a paper by Matt Blaze (see page 5 of the PDF) which studies the problem.  The classroom example uses a commercial safe lock with 100 positions = 100**3, which reduces to 22,300 real possibilities once you get rid of the “fluff” and the invalid passwords.  For example, there are whole regions of the ring which cannot be used for the last number.   The 0..39 master lock is bound to be much less.  Again, it’s plenty good for the kids school.

I must say, really cool that GA Tech has a class on hacking locks.

Okay – I’m lost in the math.

Back to the point: Password length really isn’t important.  Whether the number of tries is 256 for the joystick lock, or 22,300 for a reasonably good commercial safe, it’s still way easier to attack the lock in other ways.

Time to study

You can kill way too much time with this, but visit youtube and search for “Hack Master Lock”.  Here, you will find 47 kids below the age of 5 showing you how to use a coke can and a pair of scissors to bypass the master lock “password” in a matter of minutes.  All of them can do it in under 15 seconds, but I must say that very few do it with good lighting, the cinematography is generally poor and they always have their hands covering the lock at the precise moment of clarity!

Guzzled a coke and tried it myself, good time.   So far, I haven’t pulled it off, but I will!

The key thing to note is that the quick method to hacking the lock doesn’t even touch the password dial!  It doesn’t matter how many numbers are in the password, nobody is going to enter them!

Comparisons to computer security

We all get excited, “passwords should be really long and must include special characters”!  Communication protocols should use “really long keys”!  RSA 2048 is surely better than RSA 1024!   Be sure to change your password every 60 days!  This is all great, but when a 5 year old with a “coke can” can bypass the password all together, all this discussion of password length rather misses the point.

Keeping things protected in computers is … hard.  We connect them to the Internet and then tell the world to not get in.  It’s hard.  The outsiders are not trust worthy!  The insiders are not trust worthy.  You are not trust worthy.  You’re administrator got hacked too!

I found the coke can hacking an interesting topic.  The parallels to computer security are too fun to pass up – and a bit troubling.

Hope you enjoyed this…

-Joe Nord