A computer system is protected by a password. Unfortunately, unlike many other fictional scenarios
, the password isn't the easily guessable obsession of the character owning the computer, and is often just a random jumble of numbers and letters. So, the only solution is to brute force
it. However, the way it gets brute forced tends to make very little sense.
What you normally see in a movie or TV show is all the possible codes flashing on the screen, and then the computer locks in correct digits one at a time
. It seems that computer password systems are similar to tumbler locks: You can pick it one at a time. But real passwords either work or don't. It's not a game of Mastermind.
Occasionally, the locked in digits aren't even starting at the first digit. No explanation on how a computer would know that this random choice for the seventh digit is correct, and no explanation about how it suddenly knows that 3 is correct when chances are it would have tried a 3 in that space dozens of times by now.
More ridiculous is when it cycles through dozens of numbers on the readout when it should, at most, only have to cycle through ten if each digit can be "locked in." If a password is n
symbols long and there are m
possibilities for each symbol, then the complexity of brute force is usually m
, but the password slot machine reduces it to m
. For example, a six digit password of only numbers takes up to 10^6 = 1,000,000 tries to brute force, but if correct digits "lock in" then it takes at most 10*6 = 60 tries instead (the best strategy would be to cycle through an ordered string e.g. 12345, then 23451, 34512, etc this would cut guesses down to m
There is a possible justification when the password is being guessed sequentially; say we have a password of 325 and we work it out by in putting every possible combination in order the digits look like they are locked in but would be replaced if no match was found with the following numbers so at first it would look like the first digit is locked in as 0, then 1 and then 2 before settling on 3.
Named for the way the digits spin and then get locked in, which is similar to the action of a slot machine.
This trope is a sort of Exact Progress Bar
, and it's usually used in time-critical situations. The "locking in" is a handy device to show the audience how close the computer is to cracking the password.
In Real Life
, a good
password system will not reveal anything about an incorrect guess other than "that was wrong," will take the same amount of time to process any input, will be slow enough that you can't
try thousands of passwords a second, and will respond to some number of consecutive wrong tries (usually three to five) by locking the account and alerting the sysadmins. However, many real systems fall short of this ideal; it's easy to make a design or implementation mistake. And a common mistake is to take slightly less time to process an incorrect password if an earlier character is wrong, which allows "locking in" early characters exactly as in this trope.
Subtrope of Hollywood Hacking
open/close all folders
Anime and Manga
- Parodied in the Lupin III movie Crisis in Tokyo: on encountering a door secured with a password this way, Goemon concentrates, lets out a yell and brings his hand down on the readout. The password falls into place, and an impressed Jigen notes they should try their luck at Vegas. The end credits show them doing just that.
- Jinpei in the 1994 OVA of Science Ninja Team Gatchaman carried one of these as the hacker of the team.
- The Matrix both opens and closes with a scene of this, as the Agents lock in on the telephone number. Back in the pre-computer days, telephone routing systems really did use successive digits to determine routing (just as the first three digits still indicate the exchange, modulo number portability). However, this would have resulted in determining the digits from left to right, not randomly as shown in the movie.
- Could this have been the rules of the system being different than in the real world?
- In Terminator 2: Judgment Day, John Connor has a program on his laptop computer that determines ATM PINs this way.
- WarGames may be the Trope Codifier. Near the end of the movie, WOPR tries to figure out the launch codes to the nuclear weapons, randomly locking in on digits as they scroll by the screen.
- Played completely straight by the terrorists in Bloodfist VI to crack the nuclear launch codes.
- Resident Evil. When Kaplan is trying to get the Red Queen's passcode to open the door to her chamber, the passcode appears one digit at a time.
Live Action TV
- In the Doctor Who episode "School Reunion", the code to take control of the universe is partly cracked like this. Micky prevents this from happening... by pulling out the plug.
- Averted in the episode Dalek when the titular Dalek begins its prison break it is faced with a locked door with "over a million combinations" however it cycles through all the combinations at high speeds before realizing that the password is a series of asterisks and though each new asterix appears and stays there this happens in sequence because by this point the Dalek has eliminated the actual numbers for that digit and so moves on to the next.
- So Weird features a variation of this, when a Hangman cheating program is used to guess the name of a fairy. This doesn't work for either. Although Hangman does tell you the moment you get a character right, you only have a limited number of tries, and although it was explicitly stated that the fairy guessing game gave unlimited tries, there's no way the program could know if it got a character right.
- Vengeance Unlimited episode "Critical" — The Bad Guy of the Week and his unwitting genius accomplice play the slots to hack into a police mainframe.
- The final round of UK daytime gameshow Wordplay is this.
- In Lois and Clark, Superman did it at least twice — once with numbers, once with a word he knew was about Norse mythology.
- Season 8 of 24 has CTU cracking an encryption on a super duper ultra maxi encrypted file on a suspect's computer. The updates on how the decryption is coming consist of how many digits of the password have been cracked, and an unnecessarily large display on the wall shows their progress.
- Ash uses a gadget that does to crack the four digit security code to the employee entrance at a bank in the Hustle epsiode "The Hush Heist".
- One of Artie's gizmos in Warehouse 13 is a steampunkish variant with a USB connector.
- The old NES game Clash At Demonhead featured this after beating the final boss, where you had to crack the code for a bomb that would destroy the world. You (the player) had a number of chances of guessing the code. Each correctly guessed digit locks, and you had to guess the remaining.
- Used as a minigame in Fallout 3.
- The James Bond game Nightfire featured a handheld gadget that did this so you could get through locked doors in the level. For some reason you push buttons on it as it's working at random intervals.
- Splinter Cell: Chaos Theory has electronic lock hacking essentially like this. Except the player has to manually move the cursor over and secure the code fragments, making it a blend of Uplink and Klax.
- The brute-forcer program in the computer cracking "simulation" Uplink. This is deliberate: Uplink has far less to do with actual cybercrime than the movies Hackers, Sneakers and WarGames.
- In Vampire: The Masquerade - Bloodlines, this is the visual effect associated with using the "Hacking" skill on a computer terminal. Given the wide variety of systems represented by that single simple login prompt, this was probably the easiest option.
- Sally and her hand-held widget hack into something of Robotnik's this way in Sonic Sat AM. A train and some acrobatics were involved in this scene as well.
- A giant binary version of this is used by ReBoot's Megabyte, twice. The first time he used it to hack into stolen files from Dot's organizer; files which happened to contain hundreds of binome PIDs. The second time he used it to extract a portal command from Phong's mind.
- Daemon's infected Guardians try this too, but fail when the "locked-in" numbers show up as little mouse symbols. Mouse is just that good.
- Some implementations of RSA encryption are vulnerable to an attack like this (called a timing attack). When a bit in the key is 1, the system must run a mathematical operation, which it skips if the bit is 0. Obviously, doing something takes longer than doing nothing. A persistent attacker can figure out the bits of the key, one at a time, based on this timing alone. Adding a random delay to each operation makes this attack take longer, but still work. Modern implementations fix this hole by delaying when the bit is 0 so it takes the same amount of time as a 1.
- Another related example was an early UNIX attack where you could tell how many characters in your attempt were correct by measuring how long it took, since the password check would only compare digits until it hit an incorrect one.
- The old WEP encryption standard for wi-fi networks was SO bad that hackers could actually mount an attack that guessed the key bytes one after another, and "locked in" them when successive guesses polarized towards some value. Not that different from the way Joshua tried to break in the missile silos...
- A Padding Oracle Attack is where a poorly configured web service will return a bad padding error when the attacker's guess of the last byte of the plaintext string is incorrect. The one value of the 256 available that does not return the error is the correct byte. On a CBC mode encryption scheme, the attacker than can then roll forward one byte and repeat the attack until the entire message is decrypted Slot Machine style.
- The Nintendo Wii's code signing system which prevents unlicensed programs from running on a non-debug console had a bug similar to the last one. The "key" (sort of like a password) was checked until a "NULL" byte was reached. A hacking group found that Zelda's key had a NULL byte fairly early, so they could bruteforce out to the null byte and didn't have to figure out the rest of the key. This exploit (called the "strncmp bug" because of the way the Wii used strncmp instead of memcmp [memcmp doesn't stop at null bytes]) paved the way for dozens of others, and nowadays you can run anything on the Wii.
- The LanManager hash, used to store user passwords in all versions of Windows up to and including XP, is a form of this. It can't be broken one character at a time, but it is split into two 7-character chunks - which makes it vulnerable to simple lookup tables or plain brute force. For exactly this reason it was partially phased out in XP (maintained only for backwards compatability with NT 4 servers) and completely removed in Vista. Security note
- Wifi Protected Setup has the same mistake: it splits an eight-digit number in half, checks the first four digits, then checks the last four. Because of this and another mistake, it turns what should take 100,000,000 guesses into something that only takes 11,000.
- A bug in Windows 95/98/Me allowed an attacker to discover passwords for shared folders and printers in a very Hollywoodian way.
- Not that it needs to guess all of the characters in the first place.
- One old operating system allowed user programs to handle their own paging, swapping pages of memory in when not already present. The password verification algorithm on this system only read characters from the supplied password until the first character which did not match the correct password. Thus, a program could place a password such that the first unknown character appeared at the end of a page, with the next page swapped out; if the password verification read past that character, the program got asked to page in the next page, and it knew that character worked. Repeat for each character of the password. The fix, as in most cases, involved changing the password verification algorithm to always read the entire password, regardless of whether it matched or not.
- A significant number of poorly-designed cryptographic systems are vulnerable to attacks that work one character at a time, trying different characters in a position before moving to the next. This is often due to programmers who don't understand the difference between authentication and encryption. Most often, it is caused by a programmer using an encryption algorithm (designed to protect data from being read) to solve an authorization problem (where you want to protect data from forgery). This can also happen if a programmer designs a new authorization technique rather than using HMAC or an asymmetric key algorithm.
- "CRIME" exploit of two common security protocols. A text with two matching parts compresses better, thus if an attacker can supply one part and the rest is fixed, a short text can indeed be picked character-by-character, through varying the crafted part and looking which ones cause the compressed message length to drop.