

Why you should use four different digits for keypad locks - Kafka
http://alicebobandmallory.com/articles/2009/09/23/why-you-should-use-four-different-digits-for-keypad-locks

======
Nwallins
The keypad at an office I worked at about 10 years ago had an electronic
display that randomized the key positions. The display's viewing angle was
artificially narrowed as well. I thought that all of this was to prevent
shoulder-surfing -- the wear and buildup issue never crossed my mind.

------
mark-t
I've never come across a keypad lock that would be vulnerable to this. You
either have to press # at the end of the code, or the codes are significantly
longer than 4 digits. Of course, even in the first category, entering 24 codes
(50% chance of entering 12 or fewer) isn't a huge barrier once you know the
four digits.

~~~
icefox
I want to say that a bunch of cars had this. Even worse each button did 2
numbers so rather then 10 numbers there was actually only 5.

------
jberryman
Wow, I just finished implementing a couple algorithms for binary De Brujin
sequences in haskell and was working on a blog post when I read this. You can
check out mine here if you want:

[http://coder.bsimmons.name/blog/2009/09/cracking-a-lock-
in-h...](http://coder.bsimmons.name/blog/2009/09/cracking-a-lock-in-haskell-
with-the-de-bruijn-sequence-pt-1/)

We must have been reading the same articles on reddit which lead us to the
same tengentially-related wikipedia page or something.

------
brown9-2
Sounds like having an enter or # key increases the number of attempts needed
significantly.

So why would anyone make keypads without them? Ease of use over security?

------
gojomo
From the 'obvious wear' or 'tracking substance added' risks mentioned, it also
seems you should, after entering the proper code, touch every other number
redundantly as well.

I suppose with 10 transparent markers that are distinguishable under detailed
inspection (such as fluorescing to different colors under UV light), you could
even work out the right order on the first try: "traces of orange have
transferred to 3 other keys, so the orange key was pressed first; traces of
green to 2 other... (etc.)"

~~~
Kafka
An even more sinister approach would be to use an infrared meter a couple of
seconds after someone just touched the keypad.

~~~
tesseract
I wonder whether any of the FLIR imagers that are currently commercially
available and reasonably portable are sensitive enough to make this work. Any
links?

------
Kafka
I made a couple of very bad mistakes in that article. Hopefully I got it right
in the sequel. [http://alicebobandmallory.com/articles/2009/09/27/a-case-
for...](http://alicebobandmallory.com/articles/2009/09/27/a-case-for-using-
only-three-different-digits-in-keypad-codes)

~~~
Kafka
Feel free to post it to the main feed if you feel it's Hacker News worthy. I
will not. Not again.

------
billybob
If you knew that everyone used four different digits for keypad locks, that
would dramatically reduce the number of possible combinations you had to
try...

How about "use something random, change the keys before they wear down, and
wipe them before and after use if you're paranoid."

~~~
ars
4 presses out of 10 options, allowing duplicates, and order is significant:
10,000 options.

4 presses out of 10 options, not allowing duplicates, and order is
significant: 5,040 options.

It's less certainly, but not dramatically.

4 presses out of 10 options, not allowing duplicates, and order is _not_
significant: 210. That, I would call a dramatic reduction.

In a typical 10 button number lock order is not important, and you can choose
from 1 to 10 presses: 1024 options.

------
slay2k
Enjoyed the blog, thanks for sharing.

Trying to find a real reason to buy an infrared meter..

