"Amigos y nadie más. El resto, la selva"
-- Jorge Guillén

Lock pick -- the "old" fashion way

Lock Cracking Done

So here is the short story:

I setup one of those nice locks on an old iMac and then, years later, forgot which password I set it to.

Yeah, totally unnecessary, but here I was stuck with an iMac on a desk that I could not move. So I started thinking of solutions for this situation and my hacking mind was racing towards the "brute force" it way. The facts were that:

  • I vaguely remembered changing the default password
  • I knew, or had an idea, of how the password was
  • There is only 4 places with 10 characters, so only 4000 possible choices
  • I had lots of time on my hands

With that in mind, I started thinking of how to shorten the list of possibilities. The character list was:

Lock chioces

  • pos1: d b w t r p m l h g
  • pos2: e a y w u r o l i h
  • pos3: e a t s r o n m l i
  • pos4: d y t s p n m l k e

And of course, after writing the choices down, this immediately started to look like a Ruby program will be needed.

So on position 1, there can only be a consonant. I knew that on position 2 I had picked a vowel. In addition, I also knew that I have picked a word -- something with a meaning that you can find in a dictionary. So, naturally, these became the constraints for my Ruby code.

First, I needed to get some command line dictionary utility that would yield fast results. On Ubuntu Linux, this is done by the dict command and you can install all sorts of dictionaries to run from your local systems under the dictd daemon:

sudo apt-get install dict dictd dict-gcide dict-wn

Description for some of the packages:

ii dict 1.11.2+dfsg-2 dictionary client
ii dict-gcide 0.48-6 A Comprehensive English Dictionary
ii dict-wn 1:3.0-23ubuntu1 electronic lexical database of English language for dict
ii dictd 1.11.2+dfsg-2 dictionary server

From the man page of dict it shows that when checking for a word, the program exits with a status of non-zero if there is no match. This is what I needed.

To setup the dictd daemon on Debian systems, like Ubuntu, you do not need to do anything -- Thanks to the wonderful Debian policies. These are the default settings for /etc/dict/dictd.conf:

global {

bind to local interfacea only


Access section here:

access {
allow localhost

this allows access only from local host

allow inetd

this allows access from inetd server


Database section here:

include /var/lib/dictd/db.list

After you know the daemon is running on its default port, you can then run the following code. I named the file lock_combo.rb and ran it like:

ruby lock_combo.rb > /tmp/choices.txt

Here is the content of that file:

pos1 = %w{ d b w t r p m l h g }
pos2 = %w{ e a y w u r o l i h }
pos3 = %w{ e a t s r o n m l i }
pos4 = %w{ d y t s p n m l k e }
i = 0
pos1.each do |a|
pos2.each do |b|
next if b !~ /[aeiouy]/ # we only care if second is vowel
pos3.each do |c|
pos4.each do |d|
word = a + b + c + d
dict -h localhost #{word} > /dev/null 2>&1
if $?.exitstatus == 0
i += 1
print "#{word}\t"
puts if i % 14 == 0
rescue => e
$stderr.puts e.message

A few seconds later I had list of about 1062 choices. This was a lot, but it's an improvement from the full 4000!

$> cat /tmp/choices.txt |wc
75 1062 5385

I knew I needed to print this, so I formatted the text to fit as much as possible in a single page. A normal 8 in. by 10.5 in. page fits about 14 columns of 4 letter words and spaces. This is why you see the line puts if i % 14 == 0, to essentially add a new-line character here.

In the end, I was able to find the password for the lock, best after only a few words tried. (And in case you noticed, this was one of the default password for this style of locks. I just didn't have the instructions with me -- obviously, hackers don't read instructions manuals!!)

Lock password found


New Comment

* optional