4 Digit Codes – Keypads
My students from my *Escape and Entry* courses have shown a lot of interest in the decision making matrix that I walk through while making entry. It is difficult to teach in full because every situation is different but the best way to develop your own decision making process is by case studies, your own or from others. Here is a 4 digit walkthrough example.
In the courses that I teach there is an entire instruction block that is all about 3 and 4 digit codes, it also overlaps into some other course instruction blocks. During my “4 Digit Code” block I start off with the basics of some of the different vectors of attack for making entry through a code barrier. The basic blocks I teach for attack vectors:
- Manufacture Default
- Common Access Codes
- Socially Engineered Codes
- Random Ass Codes
- Evidence of a Code & Other Attainment
- Plus 1+ Method (Often referred to as a Brute Force)
Explaining just those course modules won’t really paint the picture but it’s where we start from, the basic foundation that we can expand on if you attend a class. So for this article I’m going to give you a step by step of an imaginary case study and we’ll take it from initial target assessment through to the end, breaking it up in in a procedural method instead of the blocks above.
1 – Initial Assessment
This phase can start before I even leave my house. I can use google and get an overhead and a limited ground level idea of the location that I need to make entry into.
This phase can also tell me an address number on a mailbox or a business front if I don’t already have it. My smart phone can also start getting me some socially engineered info that I may need to use later (which we will, because this case study is focused around codes).
Once on scene I have to determine and double check that I have a legal and moral right to make entry. I say “moral” also, that’s because just because something is legal doesn’t mean you should do it (and just because something is illegal doesn’t mean you shouldn’t if you are willing to accept the responsibility and you believe that morally it is justified to you and will also be justified to a jury of your peers should you find yourself in court).
After the legal/moral confirmation I immediately need to know how much time I have. Is someone taking their last gasps of breath right now? Is this a developing situation? Can this wait literally for days and days before we must make entry? This will help bigtime on the next step…
What entry points are available? If time allows I will do a thorough walk around of the structure and I will check if any doors and windows are already unlocked!
Matching up with the entry points is – What tools do I have at my disposal? And what tools can I have brought to the scene? If I am on foot away from my vehicle and away from my house or place of employment, I may decide to start using my EDC tools (*Article like here) or I might have to make the decision to go back to my vehicle and get tools, or I may have to have someone bring me tools.
For this specially designed case study we have determined that there is only one point of entry and it is an electronic key-pad that opens a door.
2 Choose Most Likely Entry Point
For us that will be a keypad today. If there is a secondary entry point you can have someone else attempt entry at the same time (keeping in mind a secure scene) to save on time.
For a digital keypad there are a few things I need to know when I first look at the system:
- Is it a 3 digit or 4 digit code for entry
- Is there a star or pound or key or enter button that has to be pressed before or after the code
- Is their a wait time between each code entry
- Is there a lockout after a certain amount of attempts (like on some smart phones, or websites)
3 Evidence of a Code?
Likely, as soon as I approach the keypad I will see if there is or is not evidence of a specific code (or group of keys) that is punched in often.
For this case study, let’s say the picture above is our entry keypad. If there are 4 digits worn off, and it’s a 4 digit code, there is a good chance each of the numbers is only used once. IF we have the correct information so far then for this lock there are 24 possibilities of using the digits 1,6,8,9 in a combination without repeating. If each entry takes 2 seconds and there is no wait period between attempting codes and there is no lockout after a certain number of attempts then you’ll be through this lock in 60 seconds or less (assuming you can lay out a really quick chart of all 24 possible combinations).
4 Socially Engineered Codes
On a “clean” keypad (above) with no evidence of a code on the device itself I will start to look elsewhere while keeping in mind my time limit.
“Tactical Lock Picking” is the field application of Lock Picking and Other Entries when the entry decisions you make have consequences”
Enter: “Two Step Rule“. You have probably seen this phrase before if you’ve tooled around my website or if you’ve heard the podcast or if you’ve attended a course. With security being a balancing act between efficiency and accessibility most people don’t want to have to look very far to go grab a spare key or to look up the keypad code. If there is a code written down somewhere it is probably within two arms lengths of the door it unlocks (Usually).
While looking for a physical code written somewhere I will also let my eyes try to pick up Socially Engineer-able Codes that are written down nearby or that exist as a number that describes something important for that particular facility.
- Standing at the front gate/door to a facility look for the address written nearby on a sign or a post (or online). 3500 Elm Street.
- Google a few phone numbers for that location. 555-555-2107.
- Dates. “Company XYZ est 1982“.
- 4 digit codes are infamous for using important years that are specific to the lock’s owner.
- Numbers within a title: “101st Airborne” … 0-1-0-1 … 1-0-1-0… (ask me how I know…)
I may try about a dozen or so guesses that I can “socially engineer” with online research, personal knowledge, or physical indicators, and then I will move on to my next ditch method.
Common Access Codes
I break this down in two different methods Paper Patterns and Geography Patterns.
Paper Patterns: Number codes that look like they have a pattern… on paper.
- 1-2-3-4 (which is often a factory default)
- 0-0-0-0 (which is often a factory default)
- As a bonus: often when a keypad has it’s code changed frequently it will often use the same four or five numbers but in different orders, and usually those are 1-2-3-4, so one month if it is 1-2-4-3 then the next month it may be 1-4-2-3 and the next 1-3-2-4 etc. These are kind of a pattern, food for thought.
Geography Patterns: Number codes that look like they have a pattern ON THE KEYPAD.
The two most common Geography Patterns that I have seen on keypads are the four corners and the vertical/horizontal lines. If you were to only write down the code 1-3-7-9 on paper, it may look like a random code, but when you punch it in on a keypad you will almost certainly immediately recognize that it is the four corners of the keypad.
If you were to write down the combo 2-5-8-0 on a piece of paper it may not appear to have a simple mathematical pattern (increasing numbers, odd, even, decreasing, repeated) but it starts at #2 and goes straight down the keypad. Also with something like 4-5-6-5 it may have a SLIGHT number pattern but on the keypad you will quickly recognize, visually, that is is only the middle row of numbers from left to right.
As with ALL of the methods that I teach I highly encourage you to use as much overlap as you can and to use all the evidence and all the tools you can and to be creative and mix and match and combine methods of entry to help you help others.
Random Ass Codes
These are the MOST secure in terms of someone trying to guess your code and they are the most secure against someone starting at 0-0-0-0 and adding a digit as long as you choose a number on the higher end of 0000 – 9999.
They are codes that don’t necessarily have a simple mathematical pattern, and don’t necessarily have a basic patterned layout on the keypad. And as stated above, if someone is going to attempt a brute force attack then the longer it takes them to reach your number (since most brute force attempts start with 0-0-0-0) the longer they have to wait until the come across the correct combo.
Plus 1+ Method
Occasionally I have taken some heat by unenlightened individuals for teaching these techniques to the general public. If you have a problem with that please read THIS ARTICLE before you send me hate mail or try to get me fired from my job (good luck this time though, being my own boss means that I have a special email folder for nonsensical complaints). This “Plus 1+ Method” is LITERALLY the same method that almost everyone that is reading this will have tried at one point in their lives probably starting at around 6 years old!!!
“Hmmmm, I want to unlock that 3 or 4 digit combo lock and I don’t know the code but nobody’s looking and I have all the time in the world. 0-0-0-0, nope. 0-0-0-1, nope. 0-0-0-2, nope. 3-6-7-8 YUP!!!” – says every child that ever wanted to open their dad’s briefcase.
Many people refer to this as a Brute Force Attack. I call it the Plus 1+ Method because in the field application of a brute force there are some things that you should consider when applying it as a method of entry.
The most important thing you may want to consider before you attempt this method is HOW LONG WILL THIS TAKE. In the courses that I teach I hand out an info attachment that explains how long it would take to brute force a 3 or 4 digit code and lists a few variables. The best information I can give you before you start this process is that if the system allows you to enter one code every two seconds, without a lockout time or a pause between entries you will have tried 10,000 entries in 5hrs 33min 2sec. That does NOT necessarily mean that you will use all of that time though.
As I said earlier that 4 digit codes are famous for using YEARS as codes, most relevant codes to us Americans are somewhere between 1775 and 2018. That is GREAT news for someone that needs to brute force exploit a 4-digit code because those years are on the lower end of the guessing game.
This method is also another reinforcer that one of the most important things that will decide your method of entry is HOW MUCH TIME YOU HAVE. If someone is taking their last breaths behind a door you might want to consider smashing a door in (sometimes); if it is an empty structure and you have to make entry for some sore of administrative reason then take your sweet ass time, pull up a chair, and start typing in codes starting with 0-0-0-0.
Next. Believe it or not you can often call someone and ask them for the code, or ask someone walking by and if you look like you belong, you belong. I have spent a LOT of time in some moderately secure military and government facilities and I know for a fact that people that have possessed door codes, people that have had NO CLUE who the fuck I was, have completely and utterly handed over their secure door codes to me just because I was in a hurry and I asked loudly and confidently what the code was.
“GODDAMMIT. Did this door code change recently? Mine isn’t working!”
“Uh… um yeah. Did you try 2-1-5-4?”
“Ohhhh. Ok thanks. See ya around”
This is the most common for mechanical locks since they often have to leave the factory with a code already installed and it takes EXTRA work to change the code. Looking up codes can also work in things like hotel safes but it requires a little bit of extra reading. For the most part I haven’t had a ton of experience with digital keypads working with manufacture default codes or manufacture master-key-codes but there is still a chance. Just because of all the searching, and once you find a resource you have to do a bit of reading, I usually put this far down the list for methods of entry. But if you are making entry with other people helping you this is a resource that you can quickly explain to a friend to have them research while you try other methods.
It is SO very difficult to explain my decision making matrix for a method of entry because there is SO much stimuli surrounding an entry and so much rapid processing that often so much of it happens all at the same time. Also there are SO many physical methods of entry like lock picking and bypassing and destructive entry to consider that in a REAL entry I will likely not pigeon hole myself to just a keypad. The environment will also often give me specifics that help me make decisions too – if someone walks by and they know the code I can very well try to ask them; if they don’t walk by then who the fuck do you ask? You can call someone on a phone to get them to tell you a code but not if a business is closed or if you don’t have YOUR phone.
BUT hopefully this gives you the tools to start to develop your OWN decision making matrix for your own entries that you will be making. And hopefully it will help you to upgrade your own security so that nobody takes advantage of you. I do not believe that keeping people ignorant will keep them secure, that is why I teach.
This is my passion and I love to help, I love to teach, I love to learn, and I thank you so much for checking out our content here.
If you found any value here today then please go check out our Discord Server and always feel free to contact me.
Below is our link to our Discord channel “Insurgency Knitting Circle”. Join us to chat in real time with me and some of the other cohosts as well as members of the tactical and liberty community. Our community that shares and creates content and knowledge on an almost 24/7 schedule! A very positive place with lots of good people, and growing!
At Uncensored Tactical we drink, we use adult language and make adult jokes about tools, tactics, training, leadership, humor and much more. But don’t be fooled, this content is VERY serious, although presented loosely. In law enforcement and in military operations and in every day civilian security practice you may have to take a life. If we are going to talk about taking lives and risking our own lives I think it’s reasonable that we also are able to express ourselves freely and paint a picture with whatever language and style we choose.
Thanks so much for spending time checking out the content here, it means a lot to me. The best ways to support this project and the sharing of this information is to share this content with your friends that may also find value from this info. And to follow us here at the website and where I am the most active, Instagram @UncensoredTactical.
Feel free to drop us a line *HERE* with questions, comments, concerns, topics you’d like to see presented or anything else!
And if you have anything you’d like to come on the air to talk about to our audience please send me an email *HERE*!
Stay curious, stay weird.
-Pat & Jack