Recently one of my friends purchased a bike from walmart. At work, he was showing me the new beauty when i noticed that it was locked using a wordlock. Now these “wordlocks” are these fancy locks in which the required combination to unlock is formed by letters instead of traditional numbers or lock/key mechanism. They are designed to be “easy to remember” for the bike rider. As a sample, see the image of a wordlock below
(Image courtesy: wikimedia)
These cost anywhere from $9 to as high as $20. These locks advertise a total of 10,000 possible combinations. In terms of their “security rating” which is between 1 and 5, 5 being the safest lock, they go up to level 2.
Curious to ride my friend’s new bike I was trying my luck at guessing his word combo. Smiling at my vain efforts to guess, he gave me 24 hours to get the right password. (24 hours is waaayyyy too much, but who says no to extra time?). I went back home, picked up a sample wordlock that had 4 character combinations with 10 “random” letters in each line making a total of 10^4 = 10,000 possible combinations. A quick python script to try out all combinations and checking if they are words in the english US dictionary using the enchant library is as follows:-
import enchant import sys dial1 = raw_input("Enter characters on first dial:") dial2 = raw_input("Enter characters on second dial:") dial3 = raw_input("Enter characters on third dial:") dial4 = raw_input("Enter characters on fourth dial:") if len(dial1) != len(dial2): sys.exit("dials should have same number of characters") if len(dial2) != len(dial3): sys.exit("dials should have same number of characters") if len(dial3) != len(dial4): sys.exit("dials should have same number of characters") d = enchant.Dict("en_US") count = 0 for c1 in dial1: for c2 in dial2: for c3 in dial3: for c4 in dial4: tempstr = c1+c2+c3+c4 if d.check(tempstr) is True: count = count + 1 print tempstr print "Total combinations:" + str(count)
I ran this script with the characters on a sample wordlock as shown below
This gives only 836 possible combinations. Now to try the combinations in reality, I set the first letter to a fixed character say ‘l’, the second to ‘e’, the third to ‘e’ and then manually go over every possible combination in dictionary that my program spitted out. Lets assume i take about 3 seconds to try each valid combination, that yields 836*3 seconds = 2508 seconds / 60 = 41.8 minutes (say 45 minutes approx). We know that brute force is not the smart way of breaking things but hey, it just works here. The whole idea of “wordlocks” making it easier to remember combinations just reduced the security by (1 – 836/10,000)*100 = 91%.
I do not feel safe leaving my bike anywhere more than 45 minutes with wordlocks. As they say in information security, you are only as secure as the weakest link in the security chain, wordlocks are “literally” the weakest chain in bike security. Pwned.