Schneier on Security
A blog covering security and security technology.
« White Powder Anthrax Hoaxes |
| Password Safe »
June 15, 2005
Picking Physicists' Locks
From Scientific American:
Measured to be equal to 1/137.03599976, or approximately 1/137, [the fine-structure constant] has endowed the number 137 with a legendary status among physicists (it usually opens the combination locks on their briefcases).
So now you know, too.
Posted on June 15, 2005 at 8:10 AM
• 73 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Oh, great. So now they're going to have to change the constant to keep their locks from being opened by strangers, and this will change the nature of the universe to render fusion impossible, the stars will shut down, and we'll all die. Thanks for nothing, Bruce.
just like 2^something (like 8192 or 1024) usually opens a computer scientist's briefcase...
...and of course 3141 or 2718 or 9973 (largest 4-digit prime) might work for a mathematician's briefcase. I myself like to use 641 (factor of the fifth Fermat number), but secretely I wish I had a 5-digit lock so I could use 49999.
I recall Feynmann trying to open mathematician's locker with constants such as $e$ and $\pi$ when he was working on Manhattan project.
We use 314 and 271 for laptop locks used on computers for demos (there's always someone around, so we don't worry too much).
I use square roots of prime numbers myself.
Feynman, on trying to get hold of some nuclear weapons documents in 1946 whilst the office was empty:
I went over to the filing cabinets and tried the first one: 31-41-59. It didn't open. Then I tried 59-41-31. That didn't work either. Then 95-14-13. Backwards, forwards, upside down, turn it this way, turn it that -- nothing!
... I said to myself, "Freddy de Hoffman is just the kind of guy to use a mathematical constant for a safe combination."
I went back to the first filing cabinet and tried 27-18-28 -- CLICK! It opened! (The mathematical constant second in importance to pi is the base of natural logarithms, e:2.71828...) There were nine filing cabinets, and I had opened the first one, but the document I wanted was in another one -- they were in alphabetical order by author. I tried the second filing cabinet: 27-18-28 -- CLICK! It opened with the same, combination. I thought, "This is wonderful! I've opened the secrets to the atomic bomb, but if I'm ever going to tell this story, I've got to make sure that all the combinations are really the same!" Some of the filing cabinets were in the next room, so I tried 27-18-28 on one of them, and it opened...
(from "Safecracker Meets Safecracker", in 'Surely You're Joking, Mr. Feynman'. Quite the classic.)
** *** ***** ******* *********** *************
Looks familiar, Bruce?
In my job where I custom build computers, I've memorized a few micro$loth product keys, and use them, rotating or appending numbers where necessary, or skipping over the letters to get only numbers for number only combinations.
Quoting a comment from flo:
> ...and of course 3141 or 2718 or 9973 (largest 4-digit prime) might work for a mathematician's briefcase.
I think most mathematicians would use 1729, actually.
Only for briefcases they left in a taxi to Putney ;-)
Cool... I'm off to mug Stephen Hawking!
If I'm truly concerned about security, I ask someone I know to provide me a number and a mnemonic for it.
That way, guessing based on what you know of _me_ won't get very far. You'd have to figure out which accquaintance I got the number from and what _their_ passion is.
Erik: If you wanted full security, you wouldn't just trust any accquaintance, right?
Skript Kiddies would get fancy 4-digit locks and use 1337, if they had briefcases.
Some retard wagered that amount on Jeapordy the other day. I bet he thought he was really kewl!
Interesting noone came up with numbers like 401 and 403 (HTTP response codes).
My physicist friend just pointed out that Wolfgang Pauli died in hospital room 137.
spaceballs, anyone? "12345? That's the kind of combination an idiot would put on his luggage" - "I always use that combination..."
> Interesting noone came up with numbers like 401 and 403 (HTTP response codes).
401 and 403 are pretty funny ("unauthorized" and "forbidden"). If you only keep your lunch in your briefcase you could also go with a more philosophical 417 "expectation failed". However these 4xx codes are technically incorrect since at this point the client entity has sent a properly formed request! You should have 200 ("document follows") or maybe 204 ("no content").
Seriously, when I need to generate random numeric codes for stuff like this, I have a little Perl script which generates random numbers of the correct length, then tests them against /usr/dict/words to find which ones can be converted to a valid word (or multiple valid words if a 0=space is included) via the mapping on a phone keypad.
This isn't perfect of course. It gives a biased distribution because 1 never occurs, numbers that mainly turn into rare letters (e.g. 5) are probably less likely to occur, and certain patterns are impossible. A histogram of output frequencies looks like a binomial + big spike for 0 frequency (impossible outputs) rather than flat, although I think the bias will be much less than picking the word first and then turning it into a number. In exhaustive tests with 4 digit numbers, I get a measured entropy of 11.4 bits versus a theoretical 13.3, so it's not too bad. (Nearly all of the entropy loss is from 7249 values that never occur at all.) Measured entropy/wanted entropy declines as PIN length increases because the number of really long words declines sharply, so for 7 or more digits it's better to split it up. At any rate, it gives me a way of easily having lots of long, random looking, unrelated numeric codes that are much closer to full strength than, say, using your birthday.
Yeah, that Feynman was a sneaky guy- my favorite: "Feynman’s next technique depended on his visiting an office during the day, while the lock was open. While chatting to the occupant of the office he would idly fiddle with the lock. He turned the simply turned the dial back and forth, going one number further each time. After each number he would turn the dial back to see if the lock would still open. The number he reached when the lock first refused to open again was the first number of the combination. With a slightly more lengthy version of this he could find the second number as well."
(a good read in any case)
1314 is a popular choice for Scots
Considering the amount of physicists to the amount of ordinary people who use 0-0-0, adding the usual lack of education among thieves - I doubt they hold a degree in physics - 1-3-7 is a quite good code. Easy to remember, and an important number.
While you're at it, it is well known that 17 is the most common random number: Ask any one to pick a random number, changes are they'll pick 17: It's not too low, it's prime, it's not common in calenders (7) or tales (2, 3, 5, 13). So, a "random" code could be 0-1-7, for the people who are advanced enough to change their standard 0-0-0.
If they have been in the Army then the chances are its their "Last three". I have tried this on old army friends and guess what it works :)
They tell you there are two numbers you never forget,
1, Your first telephone number (mum made you remember it ;).
2, Your service number (and it's last three digits which you had to shout out at every parade).
I use an ex-girlfriends telephone number...
Of course a person could always use thier name in 1337 speak....
Like Tim for instance.71m substitute the telephone code for M and you have 716.
Or they could do the same with Hex...
Or Binary... I don't know binary off the top of my head.
I use 640 on my luggage. It's all the RAM a computer will ever need, according to Mr. Gates.
For me it's always 1013.
That's a very important number to anyone who regularly watches the X-files.
(Name of the production company, birthday of the executive producer, most commonly occuring number in dates, times, and various numbers throughout the show)
All this talk about social engineering a three digit briefcase lock seems more trouble than simply trying all combinations. Even I can open a four digit combo on a bike lock in a few minutes.
"Even I can open a four digit combo on a bike lock in a few minutes."
Assuming you're talking about brute forcing rather than feeling the correct positions (which is often possible on cheap bike combination locks), you'd have to be fairly lucky to do 4 digits in "a few minutes". There are ten thousand equally likely combinations, so although you might get lucky and hit it early, on average you will need to try 5,000. From a quick experiment I find I can manage 2 to 3 combinations per second but only for a few seconds, it soon drops to about 1 per second. That means on average you should take over an hour, and might take up to 2 3/4 hours.
However, if you have a simple way of recording the swept keyspace (e.g. counting), and the bike is parked in the same spot each day, then you don't have to do it all at once. This fact (due to the inability to change the combination) is enough to make me avoid these locks even for a cheap bike.
This, incidentally, brings to mind what is in my mind a serious design flaw in briefcase locks. Most briefcases have two thumbwheel style combination locks, each with usually 3 wheels. The two locks are operated totally independently, which presumably makes them easier to assemble but also means the average difficulty of brute forcing is not a strong 0.5 * 10^6 (say, a week to brute force even with 24 hr shifts) but instead a puny 2 * 0.5 * 10^3 (about a quarter of an hour). Furthermore the latter attack can be parallelized (one person trying each lock), which happens to reduce the average time by 1/3.
It might be argued that stronger locks are irrelevant since the case can be forced open with a screwdriver or bodily carried away and opened at leisure. However briefcases are usually used to protect documents, and in document security it quite often happens that an undetected theft is far more serious than one which is quickly detected. With locks this weak it would be possible to undetectably open the case, copy documents and put everything back the way it was in any of a variety of scenarios. Furthermore, it shouldn't be hard to fix. If the sliders of the two locks are connected internally by a simple rigid bar, it wouldn't be possible to open either lock until both are correct. (The bar would need to be stiff enough that you couldn't feel a small amount of "give" when one only of the locks is on the correct combination.)
All this pin-code discussion made me remember an electronic door look we once had. To enter you'd have to enter a 4 digit code, the lock would reset on open, and on forced reset. Otherwise it will simply test the last 4 digits entered, keeping them in memory.
This means that if you enter 1-2-3-4-5 it would actually check two codes: 1-2-3-4 and 2-3-4-5. So how many digits would you have to enter to get through all codes?
Obviosly the maximum is 40000, 10000 codes, 4 digits each, but that's not very effective.
The most effective we could ever dream of is 10003: The first three don't make up a code and hence are not tested. Then for each new digit a code is tested.
I put the problem up first at a mathematics summerschool, and someone claimed that you would "only" need to enter 10003 digits, but I never got that proof written down nor was I completly convinced it was correct.
So, if you're borred, I think this is a nice exersice in combinatorics :-) - I don't need to see the sequence if you can just provide a proof that it exits, posibly constructive. norgaard [at] math dot ku dot dk
It is easy to do more than 1 combination a second. On most briefcase combination locks, if you hold the release catch as if you are opening it, and then spin one dial, the lock will open if it reaches the correct combination. Meaning that a 3 digit lock only realy has 100 different combinations and can be opened in under 2 mins
"Or Binary... I don't know binary off the top of my head."
There are 10 kinds of people. Those who know binary, and those who don't.
Actually, there are 2 different, 3 wheel locks on many briefcases, which can be set to two different combinations. My briefcase password is actually a 6 number string.
Actually, your briefcase password is two 3 digits strings, which is 500 times weaker than one 6 digit string.
Oh, OK. The one I tried timing myself with, you couldn't turn the wheels while there was pressure on the slider.
A nice problem. I found a solution--not a closed formula, unfortunately, but a reasonably efficient algorithm, a type of greedy algorithm. Basically I keep an array of all 1,000 triplets, each pointing to a list of the remaining digits with which they have not yet been used. I then build my sequence list incrementally, as follows: take the last three elements of the list, and look up which digits have not yet been used for that prefix. For each of these digits, form a tentative new triplet, and find which of these would give the greatest number of candidates at the _next_ step. If several are equally good, pick one at random. If none of them give any, then we have backed ourselves into a dead end; start again. If you get up to 10,003, run a test to see if the answer is correct.
This algorithm frequently gets the list around 9,900 items long before stalling and having to restart; after about 200 ~ 500 attempts (taking a couple of minutes), it gets one which works. Multiple distinct answers are possible and are distinct beyond a mere relabelling of digits. I can send you the program if you want to give it a go.
sheesh. now i have to change all of my passwords.....
I can already hear all the hackers adding pie to their dictionaries.
thanks for nothing (grin)
I understand a lot of physicists at Los Alamos during the Manhattan project used 02-03-05 (for Uranium 235)
Readers of Clarke's Rama series may recognize 4143 as the start of a series of quadratic primes. Not that I use it for anything important...
Briefcase combination locks *should* be irrelevant. A briefcase containing anything at all sensitive should simply not be left unattended by its custodian.
Trekkers might use 047...er, not that I am one.
i luv openning locked briefcases.
i just run them numbers tru and ussually i just unlock them to my own amazement.. i would say its my guts... haha. any1 tried this?
may i please have every 3 digit combination possible for numbers 1 to 49 if it's not a problem. my mother just died and she has a safe that i need to open. I know it might take me awhile but that's not a problem for me. Can you please help me out, you seem to be pretty good with numbers. Thanks.
i need to open a (a.roo emiment briefcase) it has a 3 digit code, can sumone please help me as i have lost the key. many thanks.
AS FAR AS BRIEF CASES ARE CONCERNED......
This worked for me.
Visual Inspection: Each tumbler has a hub just below the lock surface. The hub has a notch (like a cross saw cut). This notch is visible from the top of each tumbler whenever the lock is set to the actual last combination set. Observing the notch is difficult. It must be seen through the slit in the top of lock using a flashlight. Shine the flashlight into the slit so that you can see the reflection of the hub. Move the flashlight to better find a visible reflection and rotate the tumbler until the notch is visible (often the change from shiny to dark indicates the presence of the notch).
My name is maggie and I am studying Investigative Journalism at Napier University.
We have a real case related to a combination safe (with a timer) in a high street shops such as betting shop, a safe that can only be opened in certain time of the day with a correct passoword.
I would like to ask whether any bloggers can give me more information on this kind of timed combination safe and do you know is it still popular to be used in hight streets shops?
Thank you very much for your help and look forward to hearing from you soon.
My email is email@example.com
License plate seen in the physics parking lot: QWHY137 -- Question: Why 137?
Yes, I'm a physicist. Nonphysicists probably thought that license plate was randomly assigned....
i want to change the lock combination on my protocol briefcase... does anyone know the sequence to do so?
I have been given a briefcase by an old friend and it is in good shape but locked. Can anyone help me find the combination for it. There are three numbers per side. Thanks..
Hello beautiful people,
My brother managed to change the combination on his briefcase from
000 000 to 111 ???.
Dan smith's idea sounded promising, but I do not understand how to do it. It did not work for me. Would you mind giving me a little more detail?
Thank you very much in advance.:)
never mind...I opened it by just try ing all possible combinations...I'm glad it was 111 124 instead of 999 999 or something...
bought new brief,has 3digt combo lost instructions. it has sml white lever inside that snaps dwn..how the*#@ do u set combo??
Got these directions at luggage shop for initial setting of combination Push the button inward towards the handle; hold it there while resetting to 3 new numbers When you release you have new combo.
Why doesnt this work second time around?. Surely someone knows how to do this . Do locksmiths have some kind of device to open these combination locks. Its a nice case wish i could open it but then thats why it was free...Sooo i am going thru the combos one by one on one lock Hopefully its not one of those that require both set at same time, Good luck all.
I just tried houdontni's thing and it worked to set and reset it a couple of times with different #'s. There is a small white lever in the left lock of mine, but it looks more like a string of glue?!?
I can't open the lock on my kenneth cole briefcase. I forgot the combination and lost the instructions. Can anyone offer any suggestions?
Like another person, who I don't see an answer for, can anyone tell me where to get a list of all of the numerical combinations possible for a 3 digit lock on a briefcase that runs from numbers zero through nine in each column? How many possibilities are there? I need to try them all. I know I start with 000 through 999 then 011, 012, 013, all the way to 789 and 799 etc. However, this may help one of you math geniuses help me - I believe that no digit is used twice in the combination. I strongly believe that, but I might be wrong, and I know while running through the numbers that may make several hours worth of difference. It is a Victorinox or Wenger briefcase with a metal button that slides a little to the left or a little to the right each side of the case on the outside, and then the three digits (which I know are the same on both sides, thank God) roll individually in the middle, and then on the left is a clip that moves up and down that you may have to push at the same time as the button when you get the right code, which is a bit of a pain in the butt for someone who cannot remember the number to their own briefcase. I locked it about five years ago, and know the numbers are not anything I can recall (I know, don't tell me how stupid I am please,) my mom washed my papers with passwords etc that was in my jeans pocket and threw it out a couple of weeks ago (this is one of my "easier" problems to solve I KNOW some geniuses here can help me!) other than I think there is an 8 or a 7 in the three digits somewhere, but since that is just a hunch with a memory as bad as mine, I am going to ignore it. I wish I could just cut it open, (I could cut through the leather, if no one can help, but then I will have to buy another expensive case just like it, and I don't even know if they make them anymore, because I borrowed it from my brother a long, long time ago, and now he needs it back. I think someone here can tell me how to figure out how to go through all of the possible numbers, or refer me somewhere where I can see what they could be so I can check off each one, and make sure I try them all. Is there a fomula or something to give me all of the numbers? Better yet, is there a way I look at a chart? I will owe someone a DVD of their choice, or IPOD download or something up to $25 reward! You could email me if you want to email firstname.lastname@example.org NOT @aol.com!!!! THANK YOU!!
Why dont you openittheeasy way? All it takes is a strong light, pocket knife or metal nail file and good eye-sight. Under a good light, using the knife or nail file to spread the number disk apart abit so you see between the disk. Each disk has a small stem on one side or the other. Usually it is on the right side. While watching closely, rotate the disk until a flat side or occasionally a notch showes up. Do the same to all the number disk, untill all the flat places are in the same plane. If this doesnt open the lock, carefully turn all the disk at the same time one number at a time till the lock opens.
I purchased a case in 1992, never used it until 3 days ago. Today, for the first time, one of the 3-digit combination locks would not open. My 8-yo niece was playing with it and one of the locks will not open. It has "BOVANO" engraved on the lock, but I could not find a website that provides information on this case. Can you help me? I thought that both still opened at 000, but found that one is set on 258, which has no significance to me whatsoever. If I take it to a locksmith, will he be able to open it?
Sister in law gave me a stebco tufide brief case. It is open, but the locks don't catch. Seems as though the post is too short. I think a combination would help, but none available. Any suggestions?
A couple you had the correct solution for the case that I have. It has no markings except for one little tag inside one of the pockets that says Office Club. The locks operate totally indepedent of each other. No bar integrated somewhere inside.
Anyway, the technique of viewing the side of each number disk until you see a notch or flat side enabled me to open the lock. You will need a light or magnifying glass in order to see the spot clearly.
I was able to reset the combination only after first discovering the correct one. To enter a new combination leave the numbers for the current combination in place. Push the release tab in(toward the handle). Then while holding the tab, turn the numbers to the new combination you choose. Release the tab and your new combination should be set.
I would thank the individuals who initially posted the correct information, however I just don't have time to go back through and read it again until I find them. You all know who you are and Thank you, collectively!
hi i have a brief case it is a 3 digit how do you change the code
I did a Google search because I couldn't get into my old hard-sided briefcase containing Court-Related paperwork from a Court bout with worthless my ex-wife 7 years ago. I really need that stuff now (another bout, unfortunately), but didn't know the combination and it's a nice briefcase and wasn't excited about breaking it open.
These old Blogs saved the day! Held the latch switch to the left and breezed through all of the numbers and before you knew it "Pop". Did the same with the other side and both were "popped" in less than 15 minutes.
I couldn't believe that I could have spaced out and not saved that number someplace! Then I thought maybe I switched the number to something I'd remember, but a 6 digit number just didn't work and I was absolutely positive that combination was set by the factory and I couldn't change it.
I figured I put the number in a long lost day planner someplace. I have tried day planners quite a few times over the years, and have decided that I just don't like them. I use the outlook calander.
After the deed was done and I was thoroughly pleased with myself and this website, I looked at the 3 numbers on the one side and the 3 on the other, after getting it open: 041---559. Son of a gun! My birthday: April 15, 1959! That thought crossed my mind while struggling with the briefcase, but 41559 didn't have enough numbers. Duh! It's obvious the number is changable and I'm not as dumb as I thought because I shouldn't NEED to write that number down anyplace! But I guess I am as dumb as I thought because I thought the numbers in my b-day didn't add up to 6 digits! Duh!
I have a Vaultz brand smaller locking box. It's called a "Vaultz cash box" on the staples receipt. I set the combination and made it something No one could ever guess. Now that includes me. Besides breaking it open is there any hope of getting it open. There is Very important paperwork in there I need for my job. It has a silver latch in the middle, like a brief case, then three tumbling numbers, and then the square push/slide button opener. I know it was factory set at 000 and can go up to 999. I tried the flashlight idea....to no avail. Is there Any way, to open this case without destroying it?
Or even a list of the possible 1,000 combinations i can print out and try one by one and highlight as each doesn't open until I can figure out what number I used. I tried Every possible combination that I have used in the past. nothing works.
Hopefully the smart-ies on here can help.
I have the same problem. Did you ever figure out the combination?
i have the vaultz cash box and i also lost the comb it's also from staples how do i unlock it grr
i have a four digit bike lock the numbers range from 1-6 and i cant seem to open it any advice would be appreciated
@ Tada Thank you, I never did figure it out, (briefcase that has sat in a closet for years), but while trying to get that method to work, it suddenly opened. Thanks again, Kurt
I have a brief case i dont know the the combination to it is a 3 digit and the case is a clarke i need help to get it open
Sir We have an old filing cabnet and it has a side compartment with a Cole combination dial, the door is lock open we do not remember the combination is there any way we can reset a new combo , I have taken the lock off and can get to the back side if needed.
Your help will be appreciated; Thanks!
Go have a look at Matt Blaze's page on lock picking there is a paper there specificaly about combo locks.
As a general rule of thumb the simple "spin dial" combination locks have a series of wheels inside them with slots to take the drop bar of the lock mechanism. On these wheels are "pick up" pins or bumps that actually set the combination (which is why you have to turn the dial n turns to the left n-1 to the right n-2 to the left etc.
Realy cheep locks won't alow you to move the pins or bumps so all you can do is change the wheels position on the shaft or the order of the wheels (the later is not recomended as it can alow the wheels to be "felt in" by a "cracker").
Once you see a simple combo lock open you will be surprised at just how simple they realy are.
Re some of the Feynman stories: As Alamos was v.new many locked cabinets etc arrived with default factory settings. Occupants of offices often did not have time to reset them so Feynman simply tried the factory defaults he knew and of course it looked very smart to the uninitiated if some could be opened.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.