34

I recently learnt to pick locks. Eager to test out my skills, I tried picking a padlock I'd been using on a secure storage box for a number of years, and found that it only had one pin - I can get into it in less than a second. It's completely laughable. Scarily, it looks nearly identical to another padlock I have, which has 5 pins and takes me about 10 minutes to crack.

In order to get a better handle on the situation, I bought 5 padlocks, ranging from £1 to £30. From this limited sample, the quality of the lock and amount of time it took to pick was completely independent of the price. The £30 lock was indeed harder than the £1 lock, but one of the mid-priced locks was easiest of all. It seems to be almost impossible to gauge without actually attempting to pick the lock. This worries me.

How can one go about verifying that a padlock they're buying for security purposes has a reasonable security margin, before actually purchasing it? Are there any particular lock technologies or standards that are likely to be advertised on the packaging?

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • Very interesting question! – Luc Oct 11 '12 at 19:55
  • Sadly, I'm guessing the answer will end up having to do with searching online forums dedicated to lockpicking, or finding detailed technical specifications from the locks' manufacturers. Otherwise, a very interesting question indeed. – Iszi Oct 11 '12 at 20:11
  • 3
    Wow. 1 pin? Even cabinet and desk locks usually have at least a few. – tylerl Oct 11 '12 at 21:21
  • 1
    @tylerl Yeah, I was pretty shocked too. I can break into it with a damn screwdriver. – Polynomial Oct 11 '12 at 21:22
  • 1 pin is just taking the biscuit. You may also be interested in *shims*: http://www.wikihow.com/Use-a-Padlock-Shim. And the holy grail (for pin-tumblers): *bump keys*: http://youtu.be/pwTVBWCijEQ – Daniel Hanrahan Oct 11 '12 at 23:52
  • 4
    "Can you easily pick it" is just one aspect of lock security. "Can you cut it off?" is another. I would guess most locks can be easily cut off by a determined thief with a tool, so why worry so much about the other? – emory Oct 12 '12 at 02:20
  • 1
    @QuasarDonkey HEY, THAT'S ME!! – tylerl Oct 12 '12 at 04:12
  • 1
    @emory For higher security stuff, I only tend to buy padlocks with metal wings around the hoop, which are very difficult to cut with bolt croppers. You'd need a circular saw or a plasma torch, which is a little too overt for most crooks. – Polynomial Oct 12 '12 at 08:05

3 Answers3

17

In Europe high security padlocks will have a "CEN rating" in accordance with the EN 1300:2004 standard. CEN ratings go from 1 (lowest) to 6 (highest). The standard is not available online for free, but this site has some details as to what the different CEN rating levels mean.

David Wachtfogel
  • 5,512
  • 21
  • 35
14

In the UK at least on a more broader level than just padlocks, lock systems can be tested by an independent company called sold secure. This company, which is in part funded by the police and home office, tests equipment and certifies it. I believe the company apply lockpicking techniques, although I am not sure as to the details of their tests.

I know this because I also know that when selling locking equipment for caravans, some insurers mandate a certain level of "sold secure" lock, and others will reduce your insurance premium if you have a (usually diamond) level wheel nut lock. I never thought my knowledge of caravan hardware would be relevant here.

Looking through the product list, some of their evaluated products include padlocks (access to server cages as a potential usage) and safes (storage of data at rest via removable disks, as a potential usage).

Clearly, not all vendors submit their products for testing, however.

Edit: apparently sold secure gold may not necessarily have the desired level of security. For more info, see the comments.

  • the sold secure program is getting better over time, but you'll notice if you google for sold secure, the second result is a youtube video showing a range of "sold secure gold" motorcycle chains being cut with bot cutters in a matter of seconds... http://www.youtube.com/watch?v=VC3hFr8p2ck – Colin Pickard Oct 11 '12 at 22:48
  • @Colin Intriguing, I did not know that, thanks. I'll update my answer to include that caveat. –  Oct 12 '12 at 09:53
8

You either have to buy the lock and test the security yourself, or you can trust the reputation of the vendor. So I guess in this sense, lock security is surprisingly similar to information security.

You can be reasonably certain that a padlock made by Medeco or ASSA is going to be well-designed and (if recently made) reasonably resistant to circumvention techniques. That's why they cost more; you're depending on the fact that the company doesn't want to tarnish their sparkly reputation by putting out a one-pin tumbler. The higher end locks also tend to be bump-resistant, pick-resistant, and sometime even cut-resistant.

Note that physical locks are also subject to side channel attacks just like computer security. With a little math and a some careful observation, you can often narrow down a combination lock's code from 1 in a several tens of thousands to one in several dozen. Though even without doing the math, brute-forcing such a lock only takes about 20 minutes.

tylerl
  • 82,225
  • 25
  • 148
  • 226