I'm involved with a group that has become interested in using the crack on Master Lock Series 1500 combination locks as a physical example of the tradeoffs between risk and security and relating it to information security. As such, I have hacked quite a few of these locks using manipulation, homemade shackle shims made with an aluminum soft drink can and a pair of scissors, shoulder surfing, and bolt cutters.
I'd like to suggest some revisions for this newsgroups FAQ based on what I have observed:
1) Everyone loves to assume that there are 40^3 = 64000 possible combinations. This relies on a really weak assumption - namely that the marks on the dial mark (a) only and (b) all the valid combination values. I've seen locks where valid values lie between dial marks. Even if there was only a single valid value between each of the marks on these dials, that 64000 explodes to over half a million. On the other hand, there is nothing that says that every mark has to represent a valid value. If only every other mark is valid, that shrinks the keyspace to only 8000 entries. In this case, Master Lock themselves, on their website, only claims that there are 1500 combinations. By the way, if anyone knows how this number is arrived at, I would love to know. Based on what I have deduced about the constraints on their keyspace, I have only been able to get within a few hundred of that number depending on what assumptions I make.2) The whole business of identifying all twelve catching spots and determining which ones are between numbers and which one are on numbers and which one of the latter group has a different last digit than the others is needlessly involved, frequently gives wrong answers, and doesn't take manufacturing tolerances into account. Consider that if the dial is off by half a mark the combination will almost certainly still work yet which sticking spots are centered and which aren't will be reversed. In reality, you can determine the last digit simply by noting which of the twelve points has the greatest range of freedom. It also has to be free of any hint of friction from the lock pawl (hope that's the right term). This method has worked correctly on all twenty locks it has been tried on and, for those not covered by the next observation, has opened each of them in somewhere between 2 minutes and 9 minutes.
3) Master has changed the rules. I was demonstrating this technique to a colleague and failed to open the lock. After over an hour working with it I finally looked at the combination itself and it didn't follow the algorithm. The first and third numbers were odd while the middle number was even. In addition, the first and last digits were not congruent modulo four (the first number wasn't equal to the last number plus some multiple of four). So far I have encountered three more locks that break the pattern. All of them are the colored-case locks, but I suspect that is more a reflection of the inventory status where I purchased the locks. You can still identify the last number as easily as before, but the first two numbers are not nearly as constrained as they were previously.