4-dial combination padlock: Is it more secure to zero it out or to blindly spin the dials after locking?

Question

I am partially responsible for some resources protected by a 4-dial combination lock like this one:

There are two things that people will usually do after they've locked it:

• reset all the digits to 0, so that the combination reads 0000, or
• mash around on the dials a bit so that the combination reads something else.

I have a strong feeling that there is no functional difference between the two, but I am encouraged to set a best practice. So, assuming that the lock has a random combination and is practically unbreakable without entering the correct combination, which approach is more secure?

Answer 1

In theory zeroing or any predetermined sequence is more secure as you could, in theory make a guess at how far someone might move the dials.

It is also conceivable that if you were able to check the state of the dials when locked on enough different occasions then you could narrow down the likely combination if it is being reset in a similar manner each time.

In practice this is probably a bit far fetched and anything with a combination lock probably has larger concerns eg the combination being known by too many people or the fact that any number between 1950 and 2018 plus the birth years of moderately famous people is probably a fairly good guess.

Having said that there may be operational advantages in having combinations set to zero as it gives a clear unambiguous guideline and it is easy to visually check that the lock is secure without the person doing the checking needing to know the combination, especially if actually physically checking that the lock is closed is problematic eg opening it sets off an alarm. You could also argue that adding the extra step of zeroing creates more of a routine and so makes it less likely that people will forget to set the lock at all, although this is admittedly debatable.

For example if you have a night security guard you could just ask them to check that all locks are set to 0000 which is both easy to do and verifiable.

It also gives an (admittedly weak) check that the locks haven't been tampered with, here a more arbitrary sequence would be better.

For example if you set all your locks to 2375 when you leave and the sequence is different when you get back you know that someone has been messing with them.

You should also be aware that some types of combination dial lock are very trivial to pick as you can often feel when each dial engages by quickly cycling through each dial or by probing from the outside. Equally a 4 dial lock only has 10,000 (10^4) possible combinations and you can often systematically go through combinations very quickly.

Answer 2

I would recommend setting it to 0000 or some other specified combination (doesn't really matter what).

"Mashing around the dials" is a little vague, but I would guess based on my own behavior that people would tend to move most or all of the dials at once, which would create a strong correlation between the current combination and the lock combination. For instance, if the lock combination is 1234, someone might change it to 5678 (probably not exactly, but close enough that an attacker could prioritize the combinations they try).

Humans also have a tendency to think some things seem more secure when they actually weaken security. Someone may try to set it to a combination that seems "further" from the lock combination, such as changing 1234 to 6578 instead of 2142 because 2142 is too "close" to the lock combination. This could allow an attacker to prioritize the order they attempt combinations. Specifying a constant value to set it to avoids such issues.

Answer 3

It does not matter.

A lock can provide three forms of protection:

1. Delay an attacker from accessing a resource so that they can be interrupted and stopped
2. Provide evidence of tampering
3. Dissuade a would-be attacker from attempting an attack

As discussed throughout answers and comments, it fails to do much in the way of delaying an attacker. The lock can be easily cut with a tool, like this $10 pair of bolt cutters. It can be easily picked with a tool, as CGCampbell's comment points out.

The ease with which it can be picked also limits its effectiveness as tamper evidence. Other answers point out that it can be fairly easily defeated even without a picking tool. So it really fails on that, as well.

This leaves its only value as the psychological benefit. It communicates that the valuables inside are not meant for unrestricted access, which dissuades people whose sense of morality or the fear of being caught will prevent them from attempting at all.

What the dial sits on thus has nearly zero relevance to its defensive capabilities. As a result, you'll need other defensive mechanisms to achieve your security goals if they include anything beyond the psychological influence. Surveillance (video or in person) would give you tamper evidence much more reliably if that's what you need; if that's not viable, there are other means of achieving it. Other means of protection are required if your intention is to protect it from determined attackers.

Answer 4

Zero it out. Maybe more work, but you don't run the risks of rotating too little or rotating the same amount for multiple dials. An attacker would have very little to go on in either case, though... Most people wouldn't consider this. Actual real-world security between the two is probably about equal. They would just have nothing extra to go on if you zero it out, and it's good to form a habit like that.

Answer 5

There are a few things to take into account when answering this question.

1. If you are looking for a statistical answer, then "spinning" the dials a specific number of times randomly forward and backward. (I don't have the count as that would be a calculation I don't have with me. It's like a required number of shuffles in Vegas to be considered random.)

2. If you're looking at this from a security perspective, then set it to a specific number is the better answer (where 0000 could be that specific number). The reason its a better answer has been touched on in other posts, but in summary, it requires the person locking the lock to "think" to ensure it's been dialed. It provides no statistical information over time to guess movements. It allows for periodic "discovery" of tampering (if even to move the numbers around). If the number you set is 0000, the tampering part will have a potentially lower effectiveness as someone playing with it will probably remember to turn it back to 0000.

Unfortunately all of this overall is somewhat moot if the person trying to open the lock knows what they are doing. These 4 digit combo locks like the one pictured typically can be opened in under 30 seconds by someone who has experience with them. If they have a thin shim, even faster... Just a typical example video of how this is done (with more exposed dials albeit) https://www.youtube.com/watch?v=ABKsUNitXqw or https://www.youtube.com/watch?v=jmhSSuCIdPI. Having worked at DefCon for several years, it's pretty amazing to sit for a few minutes in the lockpicking village and watch young adults pop these things quickly after less than 15 minutes of training.

Knowing how easy these are to pop, and the fact that you're probably worried about tampering, #2 above is the long-term way to go.

Answer 6

To add an extra level of security, either use both directions equally for zeroing or always rotate all to a single direction, to leave equal amount of fingerprints. People tend to pick a number once and memorize it. The path from zero to (or near) the correct combination might get revealed in UV light.

I think that's even easier than guessing whether a non-zero combination shown is from blind spinning or hand picked: memorizing what has been already tried might take similar amount of time and effort than going through 0000-9999 in order. And once it's stolen, time and combination gets irrelevant: I'd concentrate on threats that could actualize while you turn your back, without knowing the secrets were compromized.

Answer 7

Theoretically, setting it to 0000 is superior because there is no possibility of any correlation to what was there before. Practically, it's slightly superior because you have a way to check for compliance, whereas any specified procedure that requires an adequate amount of randomization, can't be easily checked up on to see if people are actually following the protocol as opposed to just casually brushing their thumb over all the wheels together.

But still more practical, it is utterly stupid to depend on such a lock for serious security. If it is worth this level of analysis, it's worth a lock that isn't a toy. Bolt cutters rule.

Answer 8

More on zeroing the result, which is my recommended approach. This is a theoretical answer.

Assuming an attacker knows how you reset the lock by either zeroing, setting to any fixed value, or scrambling the digits, they should still keep zero knowledge of the correct combination and thus equal odds of matching a random combination.

This could be broken with "mashing around" because no human is a perfect source of random source. Actually they could be the worst.

Mashing around the digits could work with a mechanical/electronic device that spins the digits based on a truly or good-random source.

But normally humans would apply the digits patterns that may reduce the possible values to look for.

Suppose you and the attacker share a set of locks of which both know the combination. Normally one would for example swipe the fingers "randomly" on the reels to make them point to a different number. Or move the reels in an order that the brain wants to keep.

Maybe somebody will make sure the resulting number shows all digits different from the correct combination, or a minimum number of ticks when changing each digit.

This will result in a known plaintext attack of an increasing number of attempts (again, this is a theoretical answer) and will give additional information on the combination that the attacker should not have.

What does emphasized additional mean? That even if the attacker succeeds in determining that a single digit is surely a wrong guess they have just dropped the needed brute force attacks by 1000. Add more digits to restrict the attack surface.

Setting to 0000 or to any predefined value makes the odds of every combination the same

Answer 9

In a practical sense it really doesn't matter, trying to undo your blind scrambling is going to be harder than just wiggling the dials around and getting a feel for the lock. It's fairly easy to open a combination lock just from turning the dials and feeling how it reacts. Combination locks like these are only mild deterrent.

Answer 10

you could also fix another random number 3234 for example and bring it back to this number after locking , so its easier to know if it has been played with , instead of 0000

Answer 11

It's actually a pretty bad idea to require everyone to use all 0's because requiring all 0's is burdensome security theater.

I have a strong feeling that there is no functional difference between the two, but I am encouraged to set a best practice.

The best practice should be something people consistently do and follow, and something for which your cohort understands the importance. The arguments that will ensue when someone forgets to set all to 0 or doesn't feel like it will be nothing but petty. Of course everyone else on your team knows it doesn't make any difference, at least not any difference that doesn't start with "well technically".

When management is literalist about security you can expect employees to be literalist right back at them. If people really got upset, you could expect to find the lock on the ground set to all 0's and the safe open some day, just like management wants it.

Answer 12

In theory, they are equally (in)secure. Were one of them more secure (e.g. blindly spinning the dials), then the attacker would know it as well and set the lock to "0000" to reduce the complexity, and vice versa.

One thing to note though is that spinning digits randomly could theoretically give out your code if it's "easier" to spin the digit to the correct position (which should mean it's a very bad lock, but to my knowledge some locks are like that). Hence, if you do want to introduce some random element, you may be better off coming up with a random number yourself, making sure it's not too close to the correct number, and setting the lock to that number