# Suggested update to FAQ wrt Master Lock Hack

I'm involved with a group that has become interested in using the
crack on Master Lock Series 1500 combination locks as a physical
example of the tradeoffs between risk and security and relating
it to information security. As such, I have hacked quite a few of
these locks using manipulation, homemade shackle shims made with
an aluminum soft drink can and a pair of scissors, shoulder
surfing, and bolt cutters.
I'd like to suggest some revisions for this newsgroups FAQ based
on what I have observed:
1) Everyone loves to assume that there are 40^3 = 64000 possible
combinations. This relies on a really weak assumption - namely
that the marks on the dial mark (a) only and (b) all the valid
combination values. I've seen locks where valid values lie
between dial marks. Even if there was only a single valid value
between each of the marks on these dials, that 64000 explodes to
over half a million. On the other hand, there is nothing that
says that every mark has to represent a valid value. If only
every other mark is valid, that shrinks the keyspace to only 8000
entries. In this case, Master Lock themselves, on their website,
only claims that there are 1500 combinations. By the way, if
anyone knows how this number is arrived at, I would love to know.
Based on what I have deduced about the constraints on their
keyspace, I have only been able to get within a few hundred of
that number depending on what assumptions I make.
2) The whole business of identifying all twelve catching spots
and determining which ones are between numbers and which one are
on numbers and which one of the latter group has a different last
digit than the others is needlessly involved, frequently gives
wrong answers, and doesn't take manufacturing tolerances into
account. Consider that if the dial is off by half a mark the
combination will almost certainly still work yet which sticking
spots are centered and which aren't will be reversed. In reality,
you can determine the last digit simply by noting which of the
twelve points has the greatest range of freedom. It also has to
be free of any hint of friction from the lock pawl (hope that's
the right term). This method has worked correctly on all twenty
locks it has been tried on and, for those not covered by the next
observation, has opened each of them in somewhere between 2
minutes and 9 minutes.
3) Master has changed the rules. I was demonstrating this
technique to a colleague and failed to open the lock. After over
an hour working with it I finally looked at the combination
itself and it didn't follow the algorithm. The first and third
numbers were odd while the middle number was even. In addition,
the first and last digits were not congruent modulo four (the
first number wasn't equal to the last number plus some multiple
of four). So far I have encountered three more locks that break
the pattern. All of them are the colored-case locks, but I
suspect that is more a reflection of the inventory status where I
purchased the locks. You can still identify the last number as
easily as before, but the first two numbers are not nearly as
constrained as they were previously.
If you know the last number of the combination then there are only 80 possible combinations to try. Older combo locks from a couple of decades ago could be manipulated to find the last number but false gates now make that impossible. Don't get defensive, just disassemble one of your locks and I think you'll see that the false gates prevent a last number guess. I also want to mention that Master combo's have always been either all odd or all even and it is unlikely that they have changed this. There is no code that violates this all odd/all even pattern and besides, it wouldn't increase the security of the lock, anyway.
Your work on this shows that you are bright individual. I hope you'll use your talents as a stepping stone for honorable purposes. Your work also shows that these combination locks don't offer much in the way of security so you're already doing a good service by spreading the word! Now think about this, wouldn't it be nice if we could trust each other enough so that we didn't even have to use these make-believe locks at all? Good luck in solving this interesting mathematical puzzle.
Years ago when I was in high school (38 to be exact) one could just pull down a bit on the padlock body, and then move the dial left and right, then flipping the padlock hard upwards. After about 2 to 6 attempts the shackle would spring open. Of course, now that Master Lock is owner by Smith and Wesson, it might be a better idea to just move on down to another brand of lock!
Master Lock Co. is owned by Fortune Brands. S&W is a customer, not an owner. BBE.
Bill Halle wrote: > > Years ago when I was in high school (38 to be exact) one could just pull > down a bit on the padlock body, and then move the dial left and right, then > flipping the padlock hard upwards. After about 2 to 6 attempts the shackle > would spring open. > Of course, now that Master Lock is owner by Smith and Wesson, it might be a > better idea to just move on down to another brand of lock!
> > I'm involved with a group that has become interested in using the > > crack on Master Lock Series 1500 combination locks as a physical > > example of the tradeoffs between risk and security and relating > > it to information security. As such, I have hacked quite a few of > > these locks using manipulation, homemade shackle shims made with > > an aluminum soft drink can and a pair of scissors, shoulder > > surfing, and bolt cutters. > > > > I'd like to suggest some revisions for this newsgroups FAQ based > > on what I have observed: > > > > 1) Everyone loves to assume that there are 40^3 = 64000 possible > > combinations. This relies on a really weak assumption - namely > > that the marks on the dial mark (a) only and (b) all the valid > > combination values. I've seen locks where valid values lie > > between dial marks. Even if there was only a single valid value > > between each of the marks on these dials, that 64000 explodes to > > over half a million. On the other hand, there is nothing that > > says that every mark has to represent a valid value. If only > > every other mark is valid, that shrinks the keyspace to only 8000 > > entries. In this case, Master Lock themselves, on their website, > > only claims that there are 1500 combinations. By the way, if > > anyone knows how this number is arrived at, I would love to know. > > Based on what I have deduced about the constraints on their > > keyspace, I have only been able to get within a few hundred of > > that number depending on what assumptions I make. > > > > 2) The whole business of identifying all twelve catching spots > > and determining which ones are between numbers and which one are > > on numbers and which one of the latter group has a different last > > digit than the others is needlessly involved, frequently gives > > wrong answers, and doesn't take manufacturing tolerances into > > account. Consider that if the dial is off by half a mark the > > combination will almost certainly still work yet which sticking > > spots are centered and which aren't will be reversed. In reality, > > you can determine the last digit simply by noting which of the > > twelve points has the greatest range of freedom. It also has to > > be free of any hint of friction from the lock pawl (hope that's > > the right term). This method has worked correctly on all twenty > > locks it has been tried on and, for those not covered by the next > > observation, has opened each of them in somewhere between 2 > > minutes and 9 minutes. > > > > 3) Master has changed the rules. I was demonstrating this > > technique to a colleague and failed to open the lock. After over > > an hour working with it I finally looked at the combination > > itself and it didn't follow the algorithm. The first and third > > numbers were odd while the middle number was even. In addition, > > the first and last digits were not congruent modulo four (the > > first number wasn't equal to the last number plus some multiple > > of four). So far I have encountered three more locks that break > > the pattern. All of them are the colored-case locks, but I > > suspect that is more a reflection of the inventory status where I > > purchased the locks. You can still identify the last number as > > easily as before, but the first two numbers are not nearly as > > constrained as they were previously. > > > > > >
only 80
Probably only 72, but there is a couple of assumptions involved in that. In practice, it is quicker to just run the full 100 numbers instead of trying to exclude them. .
Lovely - you call me a liar twice and then tell me not to get defensive?
Done that - not once but three times.
number guess.
No, what you will see is an *attempt* to prevent a last number guess. An attempt that fails primarily because of the poor manufacturing tolerances commensurate with a four dollar lock.
Did you not read what I wrote:
"This method has worked correctly on all twenty locks it has been tried on"
Or are you really claiming (and somehow believe) that on 20 consecutive brand new locks I managed to randomly guess the correct last number on the first attempt in each case? Let's see, if I were to randomly guess 20 last numbers for twenty locks (in order) and could come up with a set of numbers every second continuously twenty-four hours a day, I would expect to hit all twenty correctly roughly once every 2,000,000,000,000,000 billion years. Since the universe is only about 15 billion years old, I'm willing to assert that my string of hits is a little bit more than lucky guesses.
either
this.
You can mention whatever you want - that doesn't make it so. Nor does it matter how likely or unlikely something is that has already happened - they DID change it.
Aga"So far I have encountered three more locks that break the pattern."
You can stick your head in the sand all day long, that doesn't change reality.
Or do you really believe that the following combinations somehow do not break the pattern:
15-24-09 (Serial #8000140) 31-16-21 (Serial #8000368) 27-08-21 (Serial #8000286)
much in the way of security.
How much security should a four dollar lock offer? The presence of a valid manipulation attack that takes, on average, five minutes to defeat the combination has to be compared with a shim attack that can defeat it in about ten seconds (although I must confess that my shim attacks have varied between two seconds and fifteen minutes) and a bolt-cutter attack that is guaranteed to work in five seconds or less. The point is not that these locks are insecure, but that the level of security demanded from a lock must be commensurate with the level of security that is needed - in other words, the choice of what lock to use should be the result of an appropriate amount of risk assessment. I have absolutely no qualms using these locks for a variety of purposes - I would be just as remiss using a \$100 lock on fence gate when someone can just climb over the fence as I would be using one of these locks on a gun safe. .
only 80
gates now make
number guess. I
either all odd or
wouldn't
work also
of security
Now think
enough so that
Good luck in
physical
relating
few of
with
based
possible
namely
valid
value
8000
website,
know.
of
spots
are
last
gives
sticking
reality,
the
to
that's
twenty
next
over
third
multiple
break
where I
as

#### Site Timeline

• Any one have key codes for Quickbooks 2006 canadian version? Thanks B3533 Mine...
• next in

## ðŸ”’ Lockmithing and Lockpicking Discussions

• Hi Steve.. Rob McK here ex Sunshine Coast Was the rep named "Henry".. if so...
• previous in

## ðŸ”’ Lockmithing and Lockpicking Discussions

• I have very old slaymaker combination lock was bought 1977 , still is in good...
• last updated in

## ðŸ”’ Lockmithing and Lockpicking Discussions

• Hi, At the link below is a pic of a key that belonged to my late father. I'm...
• last posted in

## ðŸ”’ Lockmithing and Lockpicking Discussions

• Hello, I would really appreciate your advice on the following: I am making up my...
• site's last updated in

## ⏚ Electrical Engineering

• Mieszkaniec OstroÅ‚Ä™ki upadÅ‚ z wysokoÅ›ci drugiego piÄ™tra. ZginÄ…Å‚ na...
• site's newest in

## Engineering Science (Polish)

PolyTech Forum website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.