The building, used by several hundred employees, had a security systems with 4-digit codes. I’ve been part of group of people who liked to work late times, and the building would lock at midnight – the box by the door would start beeping and you would need to unlock it within a minute or so, or “proper alarm” would ensue.
However, to unlock the alarm you did not need your card – all you needed to do was to enter any valid code. Guess what was the chance that, say, 1234 was someone’s valid code? Yes.
We’ve been all using some poor guy’s code 1234, and after several years, when he left the company we just guessed some other obvious code (4321) and kept using that.
By the way, after entering the code to the box by the door, it would shortly display name of the person whom the code “belonged” to. One of our colleagues took it as a personal secret project to slowly go through all 1000 possible codes and collect the names of the people, just for the kick of it.
(By the way, I don’t work for that company anymore, and more importantly, the company does not use that building anymore, so don’t get any ideas! 🙃 )
Speaking about security codes, a little story about a tiny hotel I’ve been in.
When we arrived, there was no reception, the agreement was that once we arrived we would call the receptionist/owner. So we did, and turned out the rooms were prepared in advance, and they would just need to give us code to unlock the main door, code to unlock our room door and some basic instructions – all of that could be done over the phone. Fine.
So they gave us the code, it was, say, 1234, and our room was 33. So we opened the main door – worked fine, went to the lobby and tried to open our room. The code 1234 did not work. So we called back and after some checking they apologized and told us that the correct code was–you guessed it—1233.
Luckily there was also a proper metal key in the room–only one though (we were a group of 6), so if we wanted to actually protect our valuables we had to share the metal key.
(Overall, the hotel was great, and all, the owners were nice, all was fine – it’s just that they were apparently not exactly security nerds… 🤓 )
One of our colleagues took it as a personal secret project to slowly go through all 1000 possible codes and collect the names of the people, just for the kick of it.
Just an FYI it’s 10,000 codes, not 1,000. 0000-9999
I have worked for several companies with door codes and they’re always easy to guess. Like 1-2-3-4 or 2-4-6-8. And they only change if someone gets fired.
It was not. I vaguely recall that during my onboarding (which was long before I needed to use the code) I was asked to pick a code and I needed several attempts.
Funny that If it was possible, codes like 1234 would still be almost guaranteed to be valid, but because the code needed to be unique, there were far more valid codes, which made the guess even easier.
Plus when trying to pick my own code during onboarding I could note all the failed attempts as also valid codes.
The building, used by several hundred employees, had a security systems with 4-digit codes. I’ve been part of group of people who liked to work late times, and the building would lock at midnight – the box by the door would start beeping and you would need to unlock it within a minute or so, or “proper alarm” would ensue.
However, to unlock the alarm you did not need your card – all you needed to do was to enter any valid code. Guess what was the chance that, say,
1234
was someone’s valid code? Yes.We’ve been all using some poor guy’s code
1234
, and after several years, when he left the company we just guessed some other obvious code (4321
) and kept using that.By the way, after entering the code to the box by the door, it would shortly display name of the person whom the code “belonged” to. One of our colleagues took it as a personal secret project to slowly go through all 1000 possible codes and collect the names of the people, just for the kick of it.
(By the way, I don’t work for that company anymore, and more importantly, the company does not use that building anymore, so don’t get any ideas! 🙃 )
Speaking about security codes, a little story about a tiny hotel I’ve been in.
When we arrived, there was no reception, the agreement was that once we arrived we would call the receptionist/owner. So we did, and turned out the rooms were prepared in advance, and they would just need to give us code to unlock the main door, code to unlock our room door and some basic instructions – all of that could be done over the phone. Fine.
So they gave us the code, it was, say,
1234
, and our room was33
. So we opened the main door – worked fine, went to the lobby and tried to open our room. The code1234
did not work. So we called back and after some checking they apologized and told us that the correct code was–you guessed it—1233
.Luckily there was also a proper metal key in the room–only one though (we were a group of 6), so if we wanted to actually protect our valuables we had to share the metal key.
(Overall, the hotel was great, and all, the owners were nice, all was fine – it’s just that they were apparently not exactly security nerds… 🤓 )
Just an FYI it’s 10,000 codes, not 1,000. 0000-9999
I have worked for several companies with door codes and they’re always easy to guess. Like 1-2-3-4 or 2-4-6-8. And they only change if someone gets fired.
The door codes at the hospital I worked at was 1 2 3, until they got in trouble for people walking in.
They changed it to 2 1 3
Some really cheap locks don’t even require a specific order, just the correct 4 digits in any combination.
Was it possible for multiple people to have the same code?
It was not. I vaguely recall that during my onboarding (which was long before I needed to use the code) I was asked to pick a code and I needed several attempts.
Funny that If it was possible, codes like
1234
would still be almost guaranteed to be valid, but because the code needed to be unique, there were far more valid codes, which made the guess even easier.Plus when trying to pick my own code during onboarding I could note all the failed attempts as also valid codes.
So much fun! :D
Having worked on a system like this, typically no. DMP systems for example, require every user’s 4 digit pin number to be unique.
Doesn’t that make the numeric code their username? There is no ‘password’ here.
Sure in theory, but in the UI for these systems it is always called a PIN number or a Passcode.
That’s what you get when your key space is too small for the problem you’re trying to solve.
I remember a Defcon talk I saw on YouTube where the guy said “remember everything is either broken or using default credentials”
deleted by creator
“Man, this guy just be pretty dedicated if he’s coming in to work at all hours of the day and night.”