Summary: The best security will usually cause your employees the greatest number of hassles, but aren't your assets worth it?

My current client's office has two ways of getting into the building. If the office manager is at her desk and knows you, she will buzz the door for you. If she's elsewhere (i.e. running the company), then you need to type your passcode on the numeric keypad by the door.

Each of the 150 employees has his or her own 5-digit passcode, which means the chances that an intruder could guess correctly are pretty darn small. Five digits isn't too hard to remember, but is more than most folks would choose on their own.

The annoying part is that the numbers on the keypad seem to be migratory. Each time you get to the door, the keypad is completely blank. When you tell it to turn on, it lights up the digits 0-9 on the keys randomly, so each time you want to get in, you need to figure out where the keys are located this time. This is really annoying to those of us who like to commit codes and passwords to motor memory, leaving higher brain functions out of it entirely.

To make matters worse, the keypad does not have great contrast, and is in a spot where the sun is usually quite brightly shining. The sun is far too often shining brightly here in beastly California, but that's a different pet peeve of mine.

To combat the sun, the keypad has a shield at the top to provide some shade. However, since the pad is mounted about four feet off the ground, you can't see the keys when you are standing normally.

The result of all these conditions is that you must bend down, put your eyes about three inches from the keypad, squint, and try to find where the digits of your pin have gone to this time. Either the keypad manufacturer was sadistic, stupid, or extremely security conscious.

The physical stance we must adopt keeps anyone from looking over our shoulder and the sunshade completely blocks any other viewing angles. Since the keys are never in the same place twice, watching someone's hand motions to figure out which numbers are being pressed is impossible. The best an observer would be able to glean is if any numbers are used twice in a row (because you'd tap twice without moving your hand) or, if they are really good, they might be able to tell if a number is repeated elsewhere in your pin.

We are not allowed to pick our own codes; the security office gives them to us. The codes are generated pseudo-randomly by computer, but are tweaked to minimize duplicate digits and eliminate consecutive identical numbers, rendering the two pin-based vulnerabilities just mentioned unlikely. So in the end we have a system that, while being slightly annoying, is both functional and secure.

Compare this to other places I've worked, visited, or performed security audits. I've scammed so many door codes (even though I really try not to) that there has never been a place I couldn't access. My favorites are push-button locks that have a common key for everyone. Ignoring the fact that the code is usually changed only once every year regardless of how many employees have left in the interim, when a door has only one key, the keys themselves start to show uneven wear.

My favorite example is a place in a Chicago suburb where the gloss had worn off of the 1,2, and 3 keys. You could brute force the six combinations of this easily. (OK, eighteen combos if the pin was four digits long.) However, any familiarity with the location would suggest that the key would be 312 -- the area code for Chicago.

The tricky part was when I came to a door with a different code. It had the same wear pattern, but no three or four digit permutation worked. I figured that this code was new, because the servers had recently been moved there. Based on the use of 312 everywhere else, I tried the most logical next guess, 773 -- one of the new Chicago area codes. Click, click, in I walked.

So, though my chiropractor and I are annoyed at the keypad at our building, I must admit it affords much better security than most systems out there with a minimum of hassle. Now we just need to get one on the door to the server room, instead of that old-fashioned lock. Keys are so twentieth century....

Bri Hatch is Chief Hacker at Onsight, Inc and author of Hacking Linux Exposed and Building Linux VPNs. He dreams of one day becoming a master lockpick like Richard Feynman. Although there's certainly no chance that he'd ever match Feynman's Quantum Mechanical prowess, Bri occasionally tries to walk through walls. After all, there's a non-zero probability that he can quantum tunnel one of these days. These repeated collisions may be the cause of Bri's lame attempts at humor. Bri can be reached at bri@hackinglinuxexposed.com.

Copyright Bri Hatch, 2002.

This article was first published here in ITworld.com Inc., 118 Turnpike Rd., Southborough, MA 01772  on 09-Apr-2002.