Security Precautions for the Use with the Master 4 Digit Resetable Combination Padlock (Model 175 and Its Family)

We have found a serious vulnerability. Please click here.

The remainder of this information may be useful for other resetable combination locks that don't have the vulnerability.

You may prefer to use a combination lock instead of a keyed lock, for several reasons. You won't be locked out if you forget your keys. You won't to load down your keyring with more keys. The Master four digit resetable padlock, 175, and its family appear to be more secure than single dial padlocks. At least, if they aren't as secure, we find very little knowledge available on how to open them without knowing the combination and we haven't been successful with developing methods to open them. (We do find potential security weaknesses and are trying to develop methods for opening them.) Since the combination is user settable, you can use the same combination for several locks, reducing the number of combinations to remember. However, this padlock requires that the user exercise greater diligence with protecting the combination from guessing and observing.

A serious vulnerability of this lock is that a thief can get the full combination just by viewing the dials on an opened lock, or by pressing modelling clay against the thumbwheels to get an impression from the dials. The thief does not have to watch the numbers as they are dialed, as is the case for a single dial lock. Users are inclined to forget and leave the lock hanging with the combination while they access items in the locker. I have first hand experience. I donated household items to a charitable organization. As I handed the items up to the attendant to load on a truck trailer, I saw one of these locks, hanging by its shackle, unlocked. The dials were plainly visible and probably set to the correct combination. I say "probably" because the combination was something easy to guess, like 1234, which would be unlikely to have been dialed by random turning of the dials after opening the lock. (However, I did not go back after hours, when the trailer would have been locked and unattended, to try the combination to see if I was right!) Because of this vulnerability, we do not recommend this lock for use on school lockers located in busy corridors, where the combination is likely to be observed or impressioned without the locker user's knowledge.

If Master offered a version of this lock which automatically reset to 0000 when it was opened, we would gladly pay a few dollars more to have that feature! (Since an automobile trip odometer resets to 0 when a button is pushed, we don't know why a padlock couldn't reset to 0 when opened!) We would also prefer that Master print several random 4 digit numbers, generated by its computers, inside each new lock's package, so the user can choose one if desired. These numbers could be generated the way lottery "quick picks" are generated. Alternatively, the Master Lock website could provide random 4 digit numbers.

For applications where the lock is suitable, we provide these guidelines:

a) Preferably, choose a random 4 digit number for your combination, and commit the combination to memory. However, if you decide to choose a combination that is easier to remember, do the following: Avoid numbers from 1900-1999, since many people use their birth years or a parent's birth years as combinations, and a thief will try the 100 combinations corresponding to years. Avoid other easy to guess numbers, such as 1234, 4321, 2222, etc. Also avoid famous years such as 1492, 1776 or 1812. Avoid using numbers from your phone number or your favorite pizza parlor's number, your street address, etc. that someone can look up. Avoid using your ATM or credit card PIN number, especially for a health club locker. If a thief sees your combination, he or she can come back later, open your locker, take your ATM or credit card and use your locker combination as the PIN.
b) Always reset the dials to 0000 (or some other specific number) immediately after you open the lock. Otherwise, someone can get your combination just by looking at the thumbwheels. This is especially important at a self storage facility, where you may leave the locker open and unattended for a short time while you take belongings to your vehicle or bring belongings to the locker. Also, don't just spin the dials with your fingers, since you may leave some of the digits unchanged. Most likely, the first and last digits would be left unchanged, so the thief only needs to try 100 combinations to open your lock. If that didn't work, the thief might guess that the third and fourth numbers were unchanged, and try 100 combinations for different first and second numbers.
c) To generate a random combination by hand, shuffle a standard deck of cards. Draw a card. If the card is a face card, set it aside and draw cards until you don't get a face card. The number on the card is your first digit, where ace is 1 and 10 is 0. Put that card back (but not the face cards) and reshuffle. Draw a card for your second digit and reshuffle. Repeat for digit 3 and 4. Verify that the combination generated is not something that is easy to guess. If it is, start over.
d) To generate a reconstructable combination based on something easy to remember, we suggest selecting a four letter or longer word, such as CLOUD. Now, find the positions of the first four letters of the word in the alphabet. For CLOUD, C is letter 3, L is letter 12, O is letter 15 and U is letter 21. Drop the tens digits, and you have 3251. Dial 3251 on your lock. Now draw cards from a shuffled standard card deck, until you get an ace or a numbered card less than 10. Turn each of the four thumbwheels forward the number of positions corresponding to the card drawn (ace = 1.) Thus, if 8 were drawn, you have 1039. This becomes your combination. Set 1039 into the lock, using the manufacturers instructions. If you forget your combination but recall your code word, regenerate the combination for your code word and dial it into your lock. Now, advance all four thumbwheels one position. Try to open the lock. If it doesn't open, advance all four thumbwheels one position again. Within 9 tries, the lock will open.

