157

I am partially responsible for some resources protected by a 4-dial combination lock like this one: Lock

There are two things that people will usually do after they've locked it:

  • reset all the digits to 0, so that the combination reads 0000, or
  • mash around on the dials a bit so that the combination reads something else.

I have a strong feeling that there is no functional difference between the two, but I am encouraged to set a best practice. So, assuming that the lock has a random combination and is practically unbreakable without entering the correct combination, which approach is more secure?

Anders
  • 64,406
  • 24
  • 178
  • 215
Peter Schilling
  • 1,419
  • 2
  • 7
  • 8
  • 46
    With a pick from [Kevin Mitnick's Lock Pick Business Card](https://www.mitnicksecurity.com/shopping/kevin-mitnick-lock-pick-business-card) (I have two, one undone) and watching a [video](https://youtu.be/D7jwY81-gQY) to learn how, anyone can pick a 175d in a few seconds.... don't worry about how you reset the dials. – CGCampbell Apr 13 '18 at 19:23
  • 42
    Don't reset all the digits to 0 if the combination is 0000! ;-) – Michael Apr 13 '18 at 20:58
  • 14
    Zero it out AND set the combination to 0000. Fool proof. – RenaissanceProgrammer Apr 14 '18 at 00:36
  • 63
    If you are actually **responsible** for valuable resources, get rid of that lousy lock **immediately**, replacing it by a proper high-quality tamper-resistant padlock, or a proper safe, depending on the value. It makes no sense to use a lousy lock that anyone can break within 30min. Worse still, many such combination locks can be broken within 1 minute if you know how, as *Chris Johns* sketches in his answer. – user21820 Apr 14 '18 at 05:12
  • 1
    If a thin metal leaf can be inserted between the dials it would be easily picked – bradbury9 Apr 15 '18 at 18:46
  • 8
    These locks (and combination locks in general) are perilously insecure, usually due to exploits that have nothing to do with guessing the combination. – trognanders Apr 16 '18 at 02:44
  • 1
    BosnianBill has a pretty good video about it.. he knows locks. https://www.youtube.com/watch?v=L0QuuGRbUbU . Here is another about Master 175 and clones: https://www.youtube.com/watch?v=LIgk-TN6WXM – trognanders Apr 16 '18 at 02:48
  • 2
    AndrolGenhald's thumb must be bigger than mine, which covers two wheels. So I typically move the left two wheels, then the middle two, then the right two – varying direction – and repeating the cycle a few times. – Anton Sherwood Apr 16 '18 at 04:24
  • 2
    @Michael you got it backwards: always leave the combo set, and since nobody would believe you left it unlocked, they'll always lock while trying to unlock :-) – Carl Witthoft Apr 16 '18 at 15:44
  • 1
    you might want to put it close to a "false set" if you expect a skilled attacker; if you can get them to accept a wrong first digit, the rest of the attack time will be squandered. – dandavis Apr 17 '18 at 05:09
  • 1
    For some reason I have a briefcase for medical things (bandages, assortment of tablets etc) and it has a code "0000". I don't know how I feel about this post. – L_Church Apr 17 '18 at 13:34
  • 4
    @user21820: Why? I was always under the impression locks exist for the sole purpose of providing evidence to the insurance that the stolen items were protected. Ever since I've become aware of bump keys I've lost all trust in keys. Sure, they're a deterrent for amateurs, but for someone with the dexterity and experience in lock picking mechanical locks pose no problem at all. – 0xC0000022L Apr 18 '18 at 07:26
  • 1
    @0xC0000022L: I think that's a ridiculous reason. Firstly, how is the insurance company going to check that the broken lock is actually the lock that was 'protecting' the stolen items? Secondly, and most ironically, if you claim that these locks pose no problem at all, then insurance companies could very well treat the stolen items as not protected, by your own claim. After all, every lock can be literally broken by a sufficiently powerful tool, without being 'broken'. =P – user21820 Apr 18 '18 at 14:52
  • 3
    @0xC0000022L: My point was simply that the lock or whatever security you employ should have cost of breaking on par with the value of what it is protecting. From the sound of it, the asker is responsible for some 'rather' valuable resources, and using such a lousy lock is very disproportionate. – user21820 Apr 18 '18 at 14:55
  • 1
    @user21820: 'fraid your "30 minutes" comment is a dangerous overestimate. It's close to 15 seconds, really; a safe designed to withstand burglary without being checked by a guard every 30 minutes must be UL-rated as TL-30. Here's an interesting video from the rating lab: https://youtu.be/OtbGUbeM860. It's quite an expensive unit; the so-called B or C "rated" safes (which lack a defined test procedure, so just buzzwords) do not hold for 15 minutes. We had a C-rated one open in about 10 min by a safesmith when the combination was lost. He used a handheld power drill alone. – kkm Apr 19 '18 at 00:31
  • 1
    @kkm: Apparently you didn't even finish reading my comment before starting your own. I said 1 min. – user21820 Apr 19 '18 at 05:12
  • 1
    @user21820: Why, I did. But I hear you, no point. – kkm Apr 19 '18 at 14:28
  • 1
    @0xC0000022L Only locks without security pins can be bumped or raked, otherwise the only real option is single pin picking. While some people make it look easy, the reality is that this requires significant practice and skill. There are exotic designs like the Abloy keyway that are known to be exceptionally difficult to pick. No security is perfect, but real locks are _much_ better than you think they are. – trognanders Apr 19 '18 at 21:56
  • 1
    Not sure if there are more secure variants of these kind of locks, but the ones that I sporadically encountered throughout my life where _very_ easy to brute-force. It didn't require any sort of tool, putting some tension on the locking mechanism, and then trying-out combinations did the trick every single time. – r41n Apr 20 '18 at 07:19
  • 1
    Having thought about this for a week, it's going to make no difference. With 10,000 combinations, one being the opener, there are 9,999 others which just won't work. Leaving the combination anywhere will be just as 'safe', as 0000 is as random wrong as another 4-digit number. Plus, as far as colleagues are concerned, finding 0000 again is going to be seen as a waste of time for some, rightly so, and they won't bother. What consequences could there be? – Tim Apr 20 '18 at 08:35
  • Since my high school, I can open many of them with my eyes only by determining the key. The rotor in the counters have a cut, once you started to see it, the number is +5 mod 10 – kelalaka Nov 17 '18 at 10:06

12 Answers12

193

I would recommend setting it to 0000 or some other specified combination (doesn't really matter what).

"Mashing around the dials" is a little vague, but I would guess based on my own behavior that people would tend to move most or all of the dials at once, which would create a strong correlation between the current combination and the lock combination. For instance, if the lock combination is 1234, someone might change it to 5678 (probably not exactly, but close enough that an attacker could prioritize the combinations they try).

Humans also have a tendency to think some things seem more secure when they actually weaken security. Someone may try to set it to a combination that seems "further" from the lock combination, such as changing 1234 to 6578 instead of 2142 because 2142 is too "close" to the lock combination. This could allow an attacker to prioritize the order they attempt combinations. Specifying a constant value to set it to avoids such issues.

AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50
  • 118
    And if the combination is 1234, probably no one will let it be x2xx after shuffling it. An attacker records the numbers on the lock time and time again and can create a profile of likely digits based on that. – ThoriumBR Apr 13 '18 at 15:25
  • 29
    @ThoriumBR So true. Most people may even deliberately avoid having part of their code show up. I just need to watch you spin the lock half a dozen times to narrow down exactly what 4 numbers you use, then I have only 4*3*2*1 = 24 combinations to test out. You just completely destroyed your security due to your own flawed idea of what security is... – Nelson Apr 13 '18 at 16:38
  • 41
    Short version: Humans are even worse at RNG than computers, even if we think otherwise. – Kamil Drakari Apr 13 '18 at 18:27
  • 77
    In the real world, both options are basically equivalent, because if someone actually wants in badly enough to break the law, they're not going to do statistics or spend hours trying every combination. They're going to use a crowbar or a drill. – BlueRaja - Danny Pflughoeft Apr 13 '18 at 18:32
  • 13
    As a practical matter, setting 0000 is probably better since it will indicate to an attacker that they should move on to an easier target. Even if the attacker doesn't crack your code, you don't want to encounter them making an attempt. – MooseBoys Apr 13 '18 at 19:26
  • 7
    @BlueRaja-DannyPflughoeft Unless they want to steal something every other week, something that can be missed and nobody would make a fuss. – ThoriumBR Apr 13 '18 at 20:28
  • @ThoriumBR, that's what [the lockpick card](https://www.mitnicksecurity.com/shopping/kevin-mitnick-lock-pick-business-card) mentioned in CGCampbell's comment is for. – NH. Apr 13 '18 at 20:54
  • 9
    Regarding humans making sure none of the combination digits are in the "random" incorrect combination, in World War 2 the Germans did this in their Enigma machine. They made sure that a letter would never get encoded as itself. This helped the British to break the code. – CJ Dennis Apr 14 '18 at 01:30
  • 1
    @CJDennis: Attributing breaking the enigma to the British alone is not really fair. – tomasz Apr 14 '18 at 11:04
  • 1
    Setting to 0000 doesn’t do much, if someone wants to unlock, it is pretty fast to use a knife pick to find the gates and with that the combination (about 40 sec). This doesn’t get faster or slower when a specific combination is set. People that want to get in without causing damage are not likely to “try” a bunch of combinations. – John Keates Apr 14 '18 at 18:10
  • Unless your lock combination is 0000 itself. – Cœur Apr 16 '18 at 01:10
  • 1
    What everyone is missing is that the correlation between the correct combination and a poorly-randomized locked state that's the result of some mashing is largely irrelevant. If correct numbers were identified in sequence, it would be an issue, since learning how the locked state relates to the open state for one number gives you some information about how the others might have been rotated. But that's not the case - the whole lock opens at once, and the space of "correlation patterns" like all knobs +1 or +2, or some +3 and others -3 quickly becomes too large to have any practical impact. – Nuclear Hoagie Apr 16 '18 at 15:41
  • 1
    @KamilDrakari Here's a link you can give to people to manifestly demonstrate that fact, and generally how easy it is to predict humans: http://web.media.mit.edu/~guysatat/MindReader/index.html – Derek Elkins left SE Apr 17 '18 at 16:35
  • Unfortunately, 0000 will cause some of the dials to move more over their lifetime, causing what I presume is detectable wear. – Mathieu K. Apr 23 '18 at 02:04
120

In theory zeroing or any predetermined sequence is more secure as you could, in theory make a guess at how far someone might move the dials.

It is also conceivable that if you were able to check the state of the dials when locked on enough different occasions then you could narrow down the likely combination if it is being reset in a similar manner each time.

In practice this is probably a bit far fetched and anything with a combination lock probably has larger concerns eg the combination being known by too many people or the fact that any number between 1950 and 2018 plus the birth years of moderately famous people is probably a fairly good guess.

Having said that there may be operational advantages in having combinations set to zero as it gives a clear unambiguous guideline and it is easy to visually check that the lock is secure without the person doing the checking needing to know the combination, especially if actually physically checking that the lock is closed is problematic eg opening it sets off an alarm. You could also argue that adding the extra step of zeroing creates more of a routine and so makes it less likely that people will forget to set the lock at all, although this is admittedly debatable.

For example if you have a night security guard you could just ask them to check that all locks are set to 0000 which is both easy to do and verifiable.

It also gives an (admittedly weak) check that the locks haven't been tampered with, here a more arbitrary sequence would be better.

For example if you set all your locks to 2375 when you leave and the sequence is different when you get back you know that someone has been messing with them.

You should also be aware that some types of combination dial lock are very trivial to pick as you can often feel when each dial engages by quickly cycling through each dial or by probing from the outside. Equally a 4 dial lock only has 10,000 (10^4) possible combinations and you can often systematically go through combinations very quickly.

Chris Johns
  • 1,226
  • 1
  • 8
  • 5
  • 11
    This answer is the best because it considers actual security, not just cryptographic security of the numbers themselves. – NH. Apr 13 '18 at 20:56
  • 1
    4 dial lock takes relatively long time to through all combinations, most locks on the market are 3 dial, which are very fast to open just by systematically checking all combinations. 3 dial locks should not be used for anything except child's play. Of course, any dial lock is never very secure. – Tero Lahtinen Apr 14 '18 at 07:08
  • 1
    If you can sift through passwords on a 4-digit lock at 1 per second, it would still take max three hours to crack. But one of those locks that you turn back and forth (Like on a locker) has 40 numbers and three digits. It takes 5 seconds per try, making it last max 100 hours. Plus, one of those locks can be left on any number without fear of making it easier to crack. – Radvylf Programs Apr 15 '18 at 04:03
  • 2
    @RedwolfPrograms: you probably should redo your math. Dial locks usually have some tolerance built into the system, so dialing adjacent numbers would usually still work. – Lie Ryan Apr 16 '18 at 00:35
  • @RedwolfPrograms you should be able to go a lot faster than 1 per second, even if you cannot feel the pin engagement or insert a pick. – OrangeDog Apr 16 '18 at 12:14
  • @OrangeDog I used 1 second, to account for the fact taht some locks require you to push on the lock or pull a lever to open, which can take a few seconds. Plus, my above calculations were maximum times – Radvylf Programs Apr 16 '18 at 13:33
  • 2
    @TeroLahtinen especially if your 4-dial lock is set to detonate everything after 5 straight failures! – Carl Witthoft Apr 16 '18 at 15:46
  • If we assume one try takes 1 second, then 3 dial lock takes only about 8 minutes to break (on average, worst case *2), whereas one 4 dial lock takes an hour and 23 minutes. Two 3 dial locks were common in briefcases, it take only twice the time of one i.e. on average 16 minutes, one 4 dial lock is much better. – Tero Lahtinen Apr 16 '18 at 16:20
  • I like the security guard aspect of this because they can verify security without needing the code themselves. – Dan Apr 17 '18 at 10:47
  • 1
    @TeroLahtinen: For whatever reason, most manufacturers of digit-dial locks fail to guard them against some relatively fast, and easy, and common exploits. I would guess that the digit-dial locks have such a reputation for weakness that people who care about security won't even consider them, and those who don't care about security wouldn't be willing to spend extra to fix the weaknesses. – supercat Apr 17 '18 at 17:49
  • @supercat maybe the purpose of dial locks in general is just to help honest people stay honest, not really stop malicious people. – Tero Lahtinen Apr 18 '18 at 09:28
  • 2
    @TeroLahtinen Some dial locks have a vulnerability where simultaneously trying to dial and open the lock will provide some feedback telling you if an individual dial is in the correct position. This allows the lock to be opened faster than brute force. – kasperd Apr 18 '18 at 21:07
  • 1
    *the birth years of moderately famous people is probably a fairly good guess.* - is this really a common combination? I can't recall the birth year of any famous people at all. – Johnny Apr 19 '18 at 04:51
  • @RedwolfPrograms, what LieRyan said about single-dial locks. The ones I'm familiar with have 60 digits, 3 numbers, and 3 digits of play; so 20 possibilities to the power of 3; so 8000. (Slightly fewer because the second number doesn't have all 20 possibilities, nor does the third, but it'll be close.) At 5 seconds = 720 attempts per hour, that's about 11 hours. (I have no idea whether 5 seconds is accurate. I heard there was a team at one of the big conventions/expos that built a robot to crack these, but I don't know what their times were.) – Mathieu K. Apr 23 '18 at 01:47
  • @LieRyan: What dial locks were you dealing with? The ones on the lockers where I went to high school reliably refused to open unless you got the combination _exactly_ right. (Half the time they didn't open then, either, but I'm pretty sure that was due to my locker being overstuffed and binding the latch mechanism rather than due to the lock itself.) – Vikki Apr 27 '18 at 01:24
34

It does not matter.

A lock can provide three forms of protection:

  1. Delay an attacker from accessing a resource so that they can be interrupted and stopped
  2. Provide evidence of tampering
  3. Dissuade a would-be attacker from attempting an attack

As discussed throughout answers and comments, it fails to do much in the way of delaying an attacker. The lock can be easily cut with a tool, like this $10 pair of bolt cutters. It can be easily picked with a tool, as CGCampbell's comment points out.

The ease with which it can be picked also limits its effectiveness as tamper evidence. Other answers point out that it can be fairly easily defeated even without a picking tool. So it really fails on that, as well.

This leaves its only value as the psychological benefit. It communicates that the valuables inside are not meant for unrestricted access, which dissuades people whose sense of morality or the fear of being caught will prevent them from attempting at all.

What the dial sits on thus has nearly zero relevance to its defensive capabilities. As a result, you'll need other defensive mechanisms to achieve your security goals if they include anything beyond the psychological influence. Surveillance (video or in person) would give you tamper evidence much more reliably if that's what you need; if that's not viable, there are other means of achieving it. Other means of protection are required if your intention is to protect it from determined attackers.

jpmc26
  • 823
  • 9
  • 17
  • 21
    Locks are often used for tamper evidence, not just to provide physical security. In these situations, an attacker may have a less strict time limit, but is unable to physically destroy the lock (because it would leave evidence). – forest Apr 14 '18 at 01:09
  • 6
    See @CGCampbell's comment on the original question. That lock does not even provide tamper evidence. Anybody who knows the trick can open that lock with a simple tool more quickly than a person who knows the combination can dial it in. Opening it with the tool leaves no evidence whatsoever. – Solomon Slow Apr 14 '18 at 16:13
  • 1
    Or cut the lock, open [container] replace with alternate lock - who cares if the combination is wrong... – Baldrickk Apr 16 '18 at 12:35
  • @forest Thanks. I updated my answer to incorporate that possibility. – jpmc26 Apr 19 '18 at 22:20
23

Zero it out. Maybe more work, but you don't run the risks of rotating too little or rotating the same amount for multiple dials. An attacker would have very little to go on in either case, though... Most people wouldn't consider this. Actual real-world security between the two is probably about equal. They would just have nothing extra to go on if you zero it out, and it's good to form a habit like that.

AJAr
  • 1,682
  • 1
  • 9
  • 19
  • 1
    It may not be more work. If you put it at 0000, then you could think of a combination of 1234 as 1 click up on the first dial, 2 clicks up on the second, etc., and wouldn't have to do subtraction to figure out how far to move each dial. And you could do the same backwards when you reset it afterwards. It might even be easier! – Guy Schalnat Apr 13 '18 at 16:13
  • 1
    The key is to reset it to the same pattern so the reset cannot be used as a vector of attack, then you can use this consistency to open the look without visual sight... adding even MORE security. – Nelson Apr 13 '18 at 16:40
  • 16
    I think this answer is right, but with the caveat that if the additional security is *worth* that extra work, you're probably using too weak a lock for the job. But that may not be in your control. – Steve Jessop Apr 13 '18 at 16:50
  • 3
    That lock looks like one I used to have decades ago--if so I believe it had a stop that prevented it from going backwards past zero making it far easier to zero than scramble. – Bill K Apr 13 '18 at 18:39
  • 1
    Good attackers aren't "*most people*" - as always, the threat model has to include the level of adversary you're defending against. – Toby Speight Apr 19 '18 at 11:47
  • @TobySpeight Yeah, that's a fair point. – AJAr Apr 20 '18 at 16:25
11

There are a few things to take into account when answering this question.

  1. If you are looking for a statistical answer, then "spinning" the dials a specific number of times randomly forward and backward. (I don't have the count as that would be a calculation I don't have with me. It's like a required number of shuffles in Vegas to be considered random.)

  2. If you're looking at this from a security perspective, then set it to a specific number is the better answer (where 0000 could be that specific number). The reason its a better answer has been touched on in other posts, but in summary, it requires the person locking the lock to "think" to ensure it's been dialed. It provides no statistical information over time to guess movements. It allows for periodic "discovery" of tampering (if even to move the numbers around). If the number you set is 0000, the tampering part will have a potentially lower effectiveness as someone playing with it will probably remember to turn it back to 0000.

Unfortunately all of this overall is somewhat moot if the person trying to open the lock knows what they are doing. These 4 digit combo locks like the one pictured typically can be opened in under 30 seconds by someone who has experience with them. If they have a thin shim, even faster... Just a typical example video of how this is done (with more exposed dials albeit) https://www.youtube.com/watch?v=ABKsUNitXqw or https://www.youtube.com/watch?v=jmhSSuCIdPI. Having worked at DefCon for several years, it's pretty amazing to sit for a few minutes in the lockpicking village and watch young adults pop these things quickly after less than 15 minutes of training.

Knowing how easy these are to pop, and the fact that you're probably worried about tampering, #2 above is the long-term way to go.

Mathieu K.
  • 139
  • 7
Marcos
  • 131
  • 4
  • 1
    (+1) I mostly agree with your answer, except for "1.": For this type of combination lock, (#1) "spinning" (any or all) dials more than once doesn't improve security. The issue is that the person locking the lock (or verifying it later) should insure all the dials are moved from the opening combination. The question is, should they be moved to specific (incorrect) positions (like 0-0-0-0), or some random positions. One motion on each dial should be enough, either to a specific, or random position. Moving the dial twice (or more) in either direction could move it back to the opening position. – Kevin Fegan Apr 15 '18 at 20:20
  • 2
    Moving each dial seperately to a random but not opening position leaks information about the code to an observer who can observe the lock over time. – Peter Green Apr 16 '18 at 15:24
  • It's fine if *some* of the dials can be in their "opening" position, as long as *not all* are. That way the search space is only reduced by up to one code per observation. – cHao Apr 19 '18 at 15:19
  • As for the stats, true randomness would mean spinning 0 to 9 positions forward, with an equal chance of each and each dial independent of the others. I wouldn't count on muscle memory for this; use a RNG. – Mathieu K. Apr 23 '18 at 02:01
  • "no statistical information over time"—I'm guessing the additional wear in those dials whose correct digits are furthest from 0 would eventually be detectable. – Mathieu K. Apr 23 '18 at 02:06
6

To add an extra level of security, either use both directions equally for zeroing or always rotate all to a single direction, to leave equal amount of fingerprints. People tend to pick a number once and memorize it. The path from zero to (or near) the correct combination might get revealed in UV light.

I think that's even easier than guessing whether a non-zero combination shown is from blind spinning or hand picked: memorizing what has been already tried might take similar amount of time and effort than going through 0000-9999 in order. And once it's stolen, time and combination gets irrelevant: I'd concentrate on threats that could actualize while you turn your back, without knowing the secrets were compromized.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55
  • Isn't the path to zero the reverse of the path from zero that you use when opening? So turning the lock back the natural way should even out the up/down fingerprints. – Toby Speight Apr 19 '18 at 11:49
  • Rolling forth `0-1-...-7` leaves the same trail than rolling back `7-6-...-0`, while `7-8-9-0` leaves fingerprints on all numbers. – Esa Jokinen Apr 19 '18 at 11:54
  • Ah, I think I see what you mean - I was thinking more of wear patterns on the casing than on the wheels! – Toby Speight Apr 19 '18 at 13:00
4

Theoretically, setting it to 0000 is superior because there is no possibility of any correlation to what was there before. Practically, it's slightly superior because you have a way to check for compliance, whereas any specified procedure that requires an adequate amount of randomization, can't be easily checked up on to see if people are actually following the protocol as opposed to just casually brushing their thumb over all the wheels together.

But still more practical, it is utterly stupid to depend on such a lock for serious security. If it is worth this level of analysis, it's worth a lock that isn't a toy. Bolt cutters rule.

user175731
  • 41
  • 1
  • Well, there is a 10/10000=0.1% chance of correlation to what was there before, as that could be 1111, 2222, etc. Small, but not "no possibility". – Andrew Leach Apr 15 '18 at 12:35
  • 1
    @AndrewLeach That is not a correlation. A correlation would be between your target and _any given correct combination_. In other words, it would be a correlation to "a correct combination", not to "1111". – forest Apr 16 '18 at 12:31
3

More on zeroing the result, which is my recommended approach. This is a theoretical answer.

Assuming an attacker knows how you reset the lock by either zeroing, setting to any fixed value, or scrambling the digits, they should still keep zero knowledge of the correct combination and thus equal odds of matching a random combination.

This could be broken with "mashing around" because no human is a perfect source of random source. Actually they could be the worst.

Mashing around the digits could work with a mechanical/electronic device that spins the digits based on a truly or good-random source.

But normally humans would apply the digits patterns that may reduce the possible values to look for.

Suppose you and the attacker share a set of locks of which both know the combination. Normally one would for example swipe the fingers "randomly" on the reels to make them point to a different number. Or move the reels in an order that the brain wants to keep.

Maybe somebody will make sure the resulting number shows all digits different from the correct combination, or a minimum number of ticks when changing each digit.

This will result in a known plaintext attack of an increasing number of attempts (again, this is a theoretical answer) and will give additional information on the combination that the attacker should not have.

What does emphasized additional mean? That even if the attacker succeeds in determining that a single digit is surely a wrong guess they have just dropped the needed brute force attacks by 1000. Add more digits to restrict the attack surface.

Setting to 0000 or to any predefined value makes the odds of every combination the same

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35
1

In a practical sense it really doesn't matter, trying to undo your blind scrambling is going to be harder than just wiggling the dials around and getting a feel for the lock. It's fairly easy to open a combination lock just from turning the dials and feeling how it reacts. Combination locks like these are only mild deterrent.

Qwertie
  • 778
  • 6
  • 11
  • It's not necessarily that hard to undo blind scrambling. I've had a 4-dial lock and managed to unlock it just by moving every single dial at once (save the one on the far left, for reasons) and trying to open it each time. It worked in less than a minute. – forest Apr 20 '18 at 04:01
0

you could also fix another random number 3234 for example and bring it back to this number after locking , so its easier to know if it has been played with , instead of 0000

user175812
  • 11
  • 1
0

It's actually a pretty bad idea to require everyone to use all 0's because requiring all 0's is burdensome security theater.

I have a strong feeling that there is no functional difference between the two, but I am encouraged to set a best practice.

The best practice should be something people consistently do and follow, and something for which your cohort understands the importance. The arguments that will ensue when someone forgets to set all to 0 or doesn't feel like it will be nothing but petty. Of course everyone else on your team knows it doesn't make any difference, at least not any difference that doesn't start with "well technically".

When management is literalist about security you can expect employees to be literalist right back at them. If people really got upset, you could expect to find the lock on the ground set to all 0's and the safe open some day, just like management wants it.

djechlin
  • 278
  • 2
  • 9
-1

In theory, they are equally (in)secure. Were one of them more secure (e.g. blindly spinning the dials), then the attacker would know it as well and set the lock to "0000" to reduce the complexity, and vice versa.

One thing to note though is that spinning digits randomly could theoretically give out your code if it's "easier" to spin the digit to the correct position (which should mean it's a very bad lock, but to my knowledge some locks are like that). Hence, if you do want to introduce some random element, you may be better off coming up with a random number yourself, making sure it's not too close to the correct number, and setting the lock to that number

undercat
  • 188
  • 9
  • 2
    -1 for `making sure it's not too close to the correct number` because that itself is a correlation, and a pretty strong one, too. some of the other answers have pointed that out. – forest Apr 22 '18 at 09:54
  • @forest If we were to talk in abstract terms, I would have agreed with you. [Realistically](https://www.youtube.com/watch?v=Z392cj8GM5U) however, there are many more things at play, both mechanical and psychological. First, lots of people forget to reset their locks, so the lockpicker will much more likely try the number that the lock was set to (along with its adjacent numbers) before going with the brute force approach. Second, some cheap locks are designed in a way that by spinning their dials randomly you will be more likely to get the correct digit than any other. The list goes on. – undercat Apr 22 '18 at 11:11