For many, the idea of lockpicking may be relegated to the realm of...
In This Article
Photos by Jorge Nuñez
A lot has changed throughout history, but one thing that’s remained constant — and probably always will — is how we protect our valuables. We’re talking about guarding the things you have from the people who want to take them from you. The devices we consistently rely on, but seldom give much consideration to, are locks. When was the last time you evaluated the physical security of your home or your bug-out shelter?
Locks are your first line of defense against theft and burglary. So, what makes one lock better than another? With locks costing anywhere from $10 to thousands, there are a plethora of factors to consider when choosing a lock for your possessions or for the doors to and within your residence. Today’s locks are most often made of bronze, stainless steel, or similar metals, both for strength and corrosion resistance. Good locks are also precisely machined so that the tolerances between the moving parts are very small, making “smart” attacks like picking or bumping more difficult. The more precise a lock is — through machining parts rather than casting pieces, intense scrutiny during quality control, and the use of quality materials — the less room there is for attackers to defeat it.
Even relatively cheap locks typically offer solid construction, and most even have security pins thrown in for good measure. The addition of these special pins, such as spool or serrated pins, is commonly used to thwart more thought-out attacks. A truly strong lock should have some special features, such as restricted keys, specialty pins, or even abstract features, such as warding, making not only brute force but also more well-planned attacks more difficult to carry out.
Warding is the use of wards or barriers that a key must navigate around in order to operate a lock — not a new practice by any means. Warded locks were used throughout Europe as far back as the Middle Ages, but they were notoriously easy to defeat with the use of a so-called skeleton key. Such a key could fit between the wards on these locks and operate them, granting the key holder access without leaving behind any evidence. This led to manufacturers abandoning this security measure in favor of a “pin and tumbler” style lock, still the most common style found today. This requires a key with distinct cuts on the top and milling on the sides that fits perfectly into a two-piece cylinder, thus lifting up on pins of various lengths in order to rotate the inner cylinder, called the “plug,” and to operate the inner workings of the lock. If the pins don’t line up correctly, the plug won’t rotate and won’t grant you access to whatever you’re trying to open.
A frequent method used to defeat locks is plain old brute force. Smashing, cutting, or drilling into a lock via any number of tools, most of which are available at any hardware store, is often enough to tear through locks of all kinds. These types of attacks are fairly intuitive and don’t require a lot of specialized knowledge or tools. Smart attacks, like lockpicking, bumping, or shimming, require some knowledge of the inner workings of a lock that your average burglar might not have. These types of attacks are less common, but also much harder to prevent. Furthermore, the tools used in these smart attacks are becoming easier to obtain. If you want to be sure your stuff is secure, you’ll want to take these attacks into account as well; the unfortunate reality is that the most popular manufacturers simply aren’t.
Electronic access control is, without a doubt, the future of frontline security. The ability to track who’s entering a facility at any given time, and have a digital record of this to fall back on during any type of investigation, is incredibly valuable, especially to larger sites like schools, hospitals, and prisons. Combine that with the ability to instantly initiate a lockdown situation and the ability to quickly and easily “rekey” an entire facility, and you’d be crazy not to want this stuff.
So, why aren’t people using this on their homes, businesses, or at the very least, their vehicles? You might have already guessed the obvious answer — it’s very expensive. Most of these systems require a dedicated server to manage the whole thing, and you have to pay a premium (usually well into the thousands of dollars) in order to obtain the proper software and licensing to make all of the expensive hardware communicate with your computer. Not to mention, you’ll have to pay somebody to install a myriad of components, ranging from electrified locksets, electrified strikes, gateways for wireless hardware, request to exits, and so forth.
Running wires to power all of this stuff can be incredibly expensive as well, especially on older buildings. Wireless technology is consistently improving and becoming much less cost-prohibitive, but limitations will always be there as well — it’s hard to grab a signal from behind a concrete wall. Standalone options, which are still usually more expensive than a purely mechanical system but much cheaper than a networked one, do exist, but you lose many of the features that make electrified hardware so appealing. Standalone electrified locks need to be programed one by one, and will need to be individually reprogrammed if you ever want to change someone’s access levels. You’d also be losing out on the ability to quickly lock down a site in the event of an emergency — one of the most desirable features of a networked access control system.
These are some of the tools that you’ll commonly find in a locksmith’s bag. You probably still won’t find them at your local hardware store, but the internet has made these implements far more accessible than ever before.
Above: Lock picks (left) and tubular lock picks (right).
Lock picks: Your basic picking set will have at least two items: a tension wrench and a rake. The tension wrench puts rotational tension on the cylinder plug (the part you put the key in), and the rake lifts the pins up to the correct spot (called a shear line) and allows the plug to turn. This takes a lot of time and practice to learn, as the user must feel when there’s too little or too much tension, in addition to when a pin is set. With these two items and a heck of a lot of practice, a skilled locksmith can open nearly every lock they come across, and nobody would know.
Bump keys: These have been around for quite a while, but they really gained notoriety in the early 2000s. Similar to picking, bump keys work by lifting all of the pins in a lock to the shear line while maintaining rotational tension on the lock cylinder. Unlike picking, bump keys don’t require a whole lot of skill or practice to master. One simply has to insert the key most of the way into the lock, put a finger on the bottom of the bow of the key to apply tension, and then tap the back of the key with any small tool. This action sends the pins flying up into their respected chambers, and if you’ve got the correct tension, it will allow the cylinder plug to spin. This rarely happens on the first or even the second attempt, and your bump key must fit into the lock you’re trying to defeat, so this method requires more trial and error compared to picking. It’s noisy, potentially time consuming, and you’ll need different bump keys for different locks, but it’s still something to be aware of when purchasing a lock.
Padlock shims: Padlock shims work by squeezing between the shackle and body of a padlock until it can bypass the latching mechanism and allow the shackle to move freely. This takes time and the shims are often damaged in the process. But they’re cheap and easy to get a hold of, so they should still be considered when picking a padlock.
A good door lock, such as the Bowley deadbolt, is cast from a solid chunk of metal, so it’s very resistant to brute force attacks (hammers, drills, firearms, etc.). YouTube videos showing the inner workings of this lock also confirm the use of security pins, as well as warding, making this particular lock virtually unpickable and unbumpable.
Bowley Grade 2 deadbolt
Cylinder and keys are 17-4 ph steel and C36 brass
Cast out of solid metal
The Bowley lock thoughtfully combines our modern pin and tumbler locks with one large ward that essentially blocks any attempt at defeating the lock via picking. In my opinion, this is the most secure lock on the market right now. However, this security comes with certain caveats. Having to navigate the warding in this lock before even engaging the pin and tumbler portion means you have to insert the key, spin it around, insert it a bit more so that the key can engage the pins, and then turn it around again. This takes time, which could be limited during an emergency or under duress. However, that may be a small price to pay for the level of security you get from this lock.
Medeco/Assa Abloy Maxum High Security Deadbolt
Solid brass and hardened steel
One-piece, free-spinning cylinder housing
Another great lock that’s been available for some time, but often overlooked, is the Medeco Maxum High Security Deadbolt. This lock utilizes top-notch materials, like stainless steel, to foil most brute force attacks as well as restricted keyways that seriously limit the threat from unauthorized keys. Unlike the Bowley lock, however, the Medeco lock functions just like any other door lock — insert the key and twist. There’s no fancy warding to navigate on this lock, so Medeco combats picking attacks by using a combination of specialty pins, several of which are cut at different angles, to make picking exponentially more difficult. It’s still possible to pick a Medeco lock, but it’s incredibly difficult, and the time one would have to devote to doing so should deter most would-be lock-pickers.
When you’re perusing the average hardware store for a lock, there’s a temptation to buy a door lock that’s a household (and deceptively trustworthy) name. Unfortunately, many of these common, inexpensive locks are also the easiest to defeat, since most criminals are already familiar with how they work. An example with some security and quite a bit of convenience, is the Schlage Camelot deadbolt featuring an electronic keypad. This type of lock is available with a standard keypad that’s programmed right at the door, or a “connected” version that’s compatible with a number of smartphone applications and features “Z wave” technology so it can pair with most home security systems. This is especially convenient if you have kids (or spouses, let’s be honest) who consistently misplace their keys and find themselves on the wrong side of a locked door.
As always, this convenience comes at a price, and we’re not just talking about the lock’s price. At the heart of this lock is a very basic Schlage five-pin “C” keyway cylinder. This type of key is ubiquitous, which makes getting duplicate keys made very easy, but it also makes the cylinder much more susceptible to unauthorized keys and bump keys. Only having five pins makes this lock considerably easier to pick over the six-pin variant — an easy target for anyone with basic knowledge of lock picking. Schlage does often add security pins, but that’ll barely slow down an experienced lock-picker.
Kwikset, another popular brand at most hardware stores, makes a similar product, but it’s plagued by the same weaknesses. The Kwikset electronic deadbolt also uses a very common key, and their cylinders also only use five pins. In addition to this, the Kwikset cylinders are also made from cast metal, as opposed to Schlage’s machined cylinders, making the Kwikset version even easier to pick due to the lack of precision one finds on machined pieces. Both of these locks utilize top-notch materials, such as stainless steel, to make brute force attacks more difficult, and they’ll both likely contain security pins that’ll make picking slightly more difficult, but they’ll still be no match for an experienced picker.
Fingerprint and retina scanners fall into a field of access control referred to as biometrics. Aside from feeling like James Bond and winning the admiration of the neighborhood children, biometric locks do provide some useful advantages. For starters, it’s much harder for someone to hand over an eye or a finger than a key or a card. This all but eliminates the possibility of someone gaining access by stealing someone else’s credentials … when it works.
The major pitfall with biometric locks is dirt. These locks have to be incredibly precise in order to grant access to one person’s fingerprint or eyeball and not another, but this precision can also make biometrics very finicky. How many times have you repeatedly tried to unlock your phone with a fingerprint only to be continually denied access, to the point you gave up and entered your security code manually? A small amount of dirt on the glass where someone is supposed to place their finger usually results in curse words and frustration when the scanner doesn’t recognize them.
This can be negated to some extent if the lock is indoors and the facility is clean, but a small cut on someone’s finger could still pose some problems.
You should also consider a good padlock if you have the need to lock up anything that doesn’t live behind a door. Trailers, storage containers, and firearm cases all warrant a quality padlock to protect them from burglary. Besides the regular brute force attack, or a smart attack like picking, padlocks can fall victim to shimming. This technique involves a thin piece of metal that’s manipulated and inserted between the body of the padlock and the shackle until it passes the latching mechanism and allows the shackle to be freed.
Abus 20/80 Diskus stainless steel padlock
Stainless steel inside and out
Diskus Deep-Welding Technology
Commercial-grade padlock shims are, like lock picks, becoming easier to buy, and it’s no secret that they can be easily made from some common household items. There are plenty of videos floating around the internet showing how to chop up a soda can and open a simple padlock with it. A disc padlock design, such as the Abus Diskus, negates the threat of shimming by using a shackle that rotates when the key is turned, rather than popping up and out of the padlock body. This means there’s no latch to bypass with a shim, and its fully stainless steel construction makes a brute force attack a tall order as well. However, keep in mind this extra security has its drawbacks. Having a shackle that rotates into the body of the lock and no spring-driven latch means you can’t lock this padlock without using the key, and its unconventional shape might not fit a wide variety of applications.
Medeco/Assa Abloy Protector II Padlock (Model #50047320)
Solid stainless steel with hardened steel inserts
One-piece, free-spinning cylinder housing
The Medeco Protector II padlock has a much larger shackle and will therefore fit a larger variety of applications. It’s also made of case-hardened steel so it’s incredibly strong. Unfortunately, this increase in capability comes at a price. This lock, like most padlocks, uses spring-loaded ball bearings in order to lock the shackle down when it’s pushed into the lock body. This makes it lockable without having to use the key, which is convenient, but also makes it susceptible to a shim attack. Shimming padlocks isn’t all that easy, even on simple padlocks, and this particular lock uses multiple bearings to make shimming even more difficult — but the possibility still exists.
In addition to the incredibly strong materials and the multiple-bearing latch mechanism, this Medeco padlock uses a heavily restricted keyway, similar to their door locks, and abnormal pins that make picking and bumping highly unlikely. They’ve even added hardened steel inserts throughout the inner workings of the lock to make drilling into it more difficult as well. You’d be hard-pressed to find a stronger padlock, but this additional security costs three to four times as much as your run-of-the-mill Master padlock (more on that below).
An inferior padlock offers a fair amount of convenience, but at the expense of security. The four-digit combination padlock by Master, for example, allows the user to change the combination as often as they’d like with the included key. This key doesn’t open the lock; it only allows the user to change the combination on the lock. And the lock must already be opened in order to even insert the key. This makes this lock literally unpickable and unbumpable. You may be thinking, “If it can’t be picked, and I can change the combination often, why’s this padlock not secure?” That’s because the dials used to set the combination on the lock open up an entirely new means of attacking it.
By sticking a thin piece of metal between the dials, you can lift up the bar that keeps the shackle latched down, bypassing the dials completely and opening the lock in mere seconds. I’ve personally done this with a paper clip just to prove a point. It’s not difficult, and there are tons of videos exploiting this massive security deficiency on the internet. Yes, it has a hardened metal shackle and multiple bearings holding the shackle down, but a lock is only as strong as its weakest point.
The Master Magnum padlock is a little better, but it has flaws, too. It has an even stronger boron-carbide shackle, and it’s octagonal in shape which makes cutting or prying it open very difficult. Shimming would also be difficult, due both to the multiple bearing latch system and the octagonal shape of the shackle. However, at its core, it uses a regular pin-and-tumbler cylinder, just as easily picked as any other lock out there.
Here’s a useful site with a ton of diagrams showing how pin and tumbler locks function, how security pins work, how picking locks works, and more: toool.us/deviant/
When it comes down to it, there’s no perfect lock. But like anything else, some are better than others. One of the best ways to defeat criminals is to think like one. Training in SERE and lock-picking courses helps you practice the fundamentals of defeating common locks, so you’ll know what to look for and be better informed on how to outfit your home and belongings with locks that are more secure than the average ones you see at big box stores.
Everyone remembers the Master Lock commercial in the 1970s where a padlock was shot with a .30-caliber rifle and remained fastened:
This sort of hype makes good marketing, but any experienced locksmith or lock-picker knows these are some of the easiest locks to defeat, even for a novice. It certainly takes a lot less effort than a gunshot. Don’t fall victim to believing common brand names are common because they’re the best. Do your research and speak with the pros to become better informed on how to secure your belongings.
Travis Dionne is a locksmith at a prominent university in Los Angeles, and has been there for the better part of a decade. He was lucky enough to learn the trade early on in life, and has been pinning up cylinders and cutting keys since he was a young teen.