tvtropes.org

Password Slot Machine - TV Tropes

️Thu Jun 14 2007

"He's got one. When he gets all ten, he'll launch the missiles."

In fiction, the way passwords get brute forced tends to make very little sense. What you normally see in a movie or TV show is all the possible codes flashing on the screen, and then the computer locks in the correct digits one at a time. It seems that computer password systems are similar to tumbler locks: You can pick it one at a time. But real passwords either work or don't. It's not a game of Mastermind.

Occasionally, the locked-in digits aren't even starting at the first digit. No explanation on how a computer would know that this random choice for the seventh digit is correct, and no explanation about how it suddenly knows that 3 is correct when chances are it would have tried a 3 in that space dozens of times by now.

More ridiculous is when it cycles through dozens of numbers on the readout when it should, at most, only have to cycle through ten if each digit can be "locked in." If a password is n symbols long and there are m possibilities for each symbol, then the complexity of brute force is usually m^n, but the password slot machine reduces it to m×n.^note For example, a six-digit password of only numbers takes up to 10^6 = 1,000,000 tries to brute force, but if correct digits "lock in" then it takes at most 10×6 = 60 tries instead (the best strategy would be to cycle through an ordered string e.g. 12345, then 23451, 34512, etc., which would cut guesses down to m. And statistically it only takes trying half the possibilities to brute force a password, meaning after 31 attempts you're more likely to have found it than not found it ^note).

Often, the implication is that the computer is not actually guessing the code, but deriving it via reverse-engineering the system it's trying to crack. The constant cycling of numbers merely shows that the computer is performing the calculations. This would also explain why which digits it locks in where and at what time can vary so widely across different uses of this trope: every system is different, and since the computer most likely doesn't know exactly what to look for unless it's cracked the same system once before (which is rare), it looks through everything, and could come across any piece of the code at any time. Alternatively, even if it does know, it may sometimes need to look at a few different parts of the system and then use those pieces of information to determine a digit rather than simply coming across it ready and waiting.

Named for the way the digits spin and then get locked in, which is similar to the action of a slot machine.

This trope is a sort of Exact Progress Bar, and it's usually used in time-critical situations. The "locking in" is a handy device to show the audience how close the computer is to cracking the password. Essentially a visual representation of Safe Cracking as well as a technological progression of it.

In Real Life, a good password system will not reveal anything about an incorrect guess other than "that was wrong," will take the same amount of time to process any input, will be slow enough that you can't try thousands of passwords a second, and will respond to some number of consecutive wrong tries (usually three to five) by locking the account^note and alerting the sysadmins. However, many real systems fall short of this ideal; it's easy to make a design or implementation mistake. And a common mistake is to take slightly less time to process an incorrect password if an earlier character is wrong, which allows "locking in" early characters exactly as in this trope.

Sub-Trope of Hollywood Hacking. Contrast with One Password Attempt Ever.

Examples:

open/close all folders

Anime & Manga

Case Closed: Ran has Conan's phone, thinking he's Shinichi and her sent SMS being on it would prove the connection, and decides to crack the password. Birthdates aren't correct, so she decides to start with 0000 and proceeding one digit at a time. After a few hours of trying, she wonders if the password is "Sherlock" in number format (4869 in Japanese pronunciation being Shi-Ha-Ro-Ku) and it turns out to be right.
In the 1994 OVA of Science Ninja Team Gatchaman, Jinpei carries one of these, being the hacker of the team.

Films — Animation

Parodied in Lupin III: Crisis in Tokyo: on encountering a door secured with a password this way, Goemon concentrates, lets out a yell, and brings his hand down on the readout. The password falls into place, and an impressed Jigen notes they should try their luck at Vegas. The end credits show them doing just that.

Films — Live-Action

Done in Anarchy TV when Frank tries to digitally find the combination to Reverend Wright's safe.
Used by the terrorists in Bloodfist VI to crack the nuclear launch codes.
Derailed (2002): After using a Hollywood Glasscutter to cut a perfectly circular hole in the window, Classy Cat-Burglar Galina clips one of these to the alarm system and uses it deactivate the alarms.
The Matrix both opens and closes with a scene of this, as the Agents lock in on the telephone number. Back in the pre-computer days, telephone routing systems really did use successive digits to determine routing (just as the first three digits still indicate the exchange, modulo number portability). However, this would have resulted in determining the digits from left to right, not randomly as shown in the movies.
Mission: Impossible (1996) uses a similar method back in the '90s when this trope might conceivably have been Truth in Television.
Resident Evil (2002): When Kaplan is trying to get the Red Queen's passcode to open the door to her chamber, the passcode appears one digit at a time.
In Terminator 2: Judgment Day, John Connor has a program on his laptop computer that determines ATM PINs this way. He later uses it during the Cyberdyne raid to open a safe containing one of two keys needed to open the vault that holds the surviving parts of the first T-800.
WarGames may be the Trope Codifier. Near the end of the movie, WOPR tries to figure out the launch codes of the nuclear weapons, randomly locking in on digits as they scroll by the screen.
What's the Worst That Could Happen?: Berger uses one to crack Max's alarm code when he and Kevin break into Max's townhouse. Later Windham uses a similar device when he has to break into Max's townhouse to rescue Kevin and Berger.

Live-Action TV

Season 8 of 24 has CTU cracking an encryption on a super duper ultra maxi encrypted file on a suspect's computer. The updates on how the decryption is coming consist of how many digits of the password have been cracked, and an unnecessarily large display on the wall shows their progress.
Doctor Who:
- In "Dalek", the titular Dalek breaches a door with "a billion combinations", with the eight code numbers cycling through digits until they turn to hashes in rapid succession, opening the door.
- In "School Reunion", the code to take control of the universe is partly cracked like this. Micky prevents this from happening... by pulling out the plug.
In Lois & Clark: The New Adventures of Superman, Superman does this at least twice — once with numbers, once with a word he knew was about Norse mythology.
So Weird features a variation of this, when a Hangman cheating program is used to guess the name of a fairy. This doesn't work for either. Although Hangman does tell you the moment you get a character right, you only have a limited number of tries, and although it was explicitly stated that the fairy guessing game gave unlimited tries, there's no way the program could know if it got a character right.
Vengeance Unlimited: In the episode "Critical", the Bad Guy of the Week and his unwitting genius accomplice play the slots to hack into a police mainframe.
The final round of the UK daytime gameshow Wordplay is this.

Pinball

Heist!: During her recruitment mode, Liz cracks the password to Mr. Big's computer account one character at a time. Each digit rapidly cycles between various possible characters before she lands on the right one.

Video Games

Clash at Demonhead: After beating the final boss, you have to crack the code for a bomb that's about to destroy the world. You (the player) have a number of chances to guess the code. Each correctly guessed digit locks, and you have to guess the remaining.
Fallout: Used as a minigame in Fallout 3 and Fallout: New Vegas. When attempting to hack a locked terminal the player must attempt to guess the correct password from a list of random words and characters in four tries (up to seven if the player manages to find a set of symbols to reset their allowance). An incorrect guess will tell the player how many characters were correct.
Grand Theft Auto:
- In Grand Theft Auto: Chinatown Wars, when breaking into high-end cars, Huang Lee has to use his PDA to find the immobilizer's PIN in order to start the car without the alarm going off.
- In Grand Theft Auto V, if the player chooses the "Roof Entry" approach on the fifth heist, breaking into the FIB's west coast headquarters and wiping out incriminating data on Steve Haines, Michael De Santa has to use two programs in order to hack the terminal. The second program is a password cracker using the slot machine method. The Online version makes greater use of these hacking tools in various Heists and Contact Missions.
Mega Man Battle Network:
- During the NumberMan scenario in Mega Man Battle Network, MegaMan comes across several doors which require a password to open, with the first few containing hints that Lan has to go and count objects in the real world to get the answer for. Eventually they come across doors without any hints, so they just brute-force the 2-digit password. The security system helpfully informs you if either digit is too high or low between 0 and 9, but answering wrong too many times will cause the system to change the value of one digit. During the final scenario, MegaMan encounters a door with three digits and no hint, only for a reformed Higsby and NumberMan to arrive and crack the code instantly, resulting in the password being "876".
- During the Sparkman scenario in Mega Man Battle Network 4: Red Sun and Blue Moon, Lan's tournament opponent attaches a malicious device to Lan's PET under the guise of free "PET Maintenance" to force Lan to use a weak folder in the upcoming battle. However, the device comes with a (randomized) 8-digit unlock code and a list of clues. While Lan is supposed to get these clues to figure out the code, the game doesn't penalize the player for incorrect guesses and tells the player how many digits of the last attempt were correct, making it possible to brute force the code in at most 72 attempts (9 x 8, as the code won't contain any zeroes) instead of 9^8 (43,046,721) attempts. Furthermore, brute-forcing the code may be the best way to solve the scenario during New Game Plus runs, as the weak folder is not upgraded to deal with the stronger viruses.
Mission Impossible (1990): There are electronically locked doors that are unlocked by Grant (The only agent with the required expertise in electronics) playing a minigame which involves decoding a 4-digit code, with the correct digit marked by a chime when scrolling through each digit individually.
NightFire features a handheld gadget that does this so you can get through locked doors in the level. For some reason, you push buttons on it as it's working at random intervals.
In >OBSERVER_, the cyborg cop Dan Lazarski can hack keypads in this manner, though it isn't always an option, depending on the location.
After fixing a keypad's circuit board in Safecracker, the keypad automatically displays the correct code like this.
All of the code-breaking in Secret Agent Barbie is depicted this way, with the digits as colored shapes.
At the beginning of Space Quest IV: Roger Wilco and the Time Rippers, the planetary coordinates of Roger Wilco's location on Magmetheus are displayed in this manner.
Splinter Cell: Chaos Theory has electronic lock hacking essentially like this. Except the player has to manually move the cursor over and secure the code fragments, making it a blend of Uplink and Klax.
Submachine does this at the beginning of the 6th game. The Edge's defense system checks for alerts by locking in 5 numbers on a 5x5 grid. The particular alert it finds in-game reads "Section 1 maintenance cart - unscheduled movement".
The brute-forcer program in the computer cracking "simulation" Uplink. This is deliberate: the game has far less to do with actual cybercrime than the movies Hackers, Sneakers and WarGames.
In Vampire: The Masquerade - Bloodlines, using the "Hacking" skill on a computer terminal causes the password field to fill with rapidly cycling characters that settle from left to right. An unsuccessful attempt produces a random string of letters; a successful one fills in the password.

Western Animation

Code Lyoko: Some of Jeremy's programs resemble this. One example is when he is hacking into the Replika floodgates to let the Skid enter them. Although the actual derived results visually resemble this trope, it appears that the computer is solving some sort of digital Rubik's Cube to obtain the numbers.
Danny Phantom: Technus, ghostly master of science and technology, needs to crack a 10,000-digit security code in order to access (and possess) a powerful satellite system. His 'cracking' is shown to work like this, slowly picking each digit individually while floating in Cyberspace.
The Monster of the Week in one episode of Godzilla: The Series is a machine that attacked and hacked a nuclear silo to wipe out humanity by starting a nuclear war. It guessed the launch code this way.
Justice League: In "A Better World", after breaking out, the Flash attempts to free Batman from his cell by inputting every possible password combination at superspeed. Luckily, Batman gives him some help by telling him his own password, deducing that Lord Batman's password likely would be the same.
ReBoot:
- A giant binary version of this is used by Megabyte, twice. The first time he used it to hack into stolen files from Dot's organizer; files which happened to contain hundreds of binome PIDs. The second time he used it to extract a portal command from Phong's mind.
- Daemon's infected Guardians try this too, but fail when the "locked-in" numbers show up as little mouse symbols. Mouse is just that good.
In the Sonic the Hedgehog (SatAM) episode "Sonic's Nightmare", Sally and NICOLE attempt to hack into one of Robotnik's computers by doing this. Notably, it fails because it takes too long and they are captured by a patrolling SWAT-bot before it's fully cracked.

Real Life

Some implementations of RSA encryption are vulnerable to an attack like this (called a timing attack). When a bit in the key is 1, the system must run a mathematical operation, which it skips if the bit is 0. Obviously, doing something takes longer than doing nothing. A persistent attacker can figure out the bits of the key, one at a time, based on this timing alone. Adding a random delay to each operation makes this attack take longer, but still work. Modern implementations fix this hole by delaying when the bit is 0 so it takes the same amount of time as a 1.
The Nintendo Wii's code signing system which prevents unlicensed programs from running on a non-debug console had a bug similar to the last one. The "key" (sort of like a password) was checked until a "NULL" byte was reached. A hacking group found that The Legend of Zelda: Twilight Princess's key had a NULL byte fairly early, so they could brute force out to the null byte and didn't have to figure out the rest of the key. This exploit (called the "strncmp bug" because of the way the Wii used strncmp instead of memcmp [memcmp doesn't stop at null bytes]) paved the way for dozens of others, and nowadays you can run anything on the Wii.
- Additionally, the disc drive authentication protocol returns the message about an incorrect password immediately after each digit is guessed, making it trivial to figure out the password.
The LanManager hash, used to store user passwords in all versions of Windows up to and including XP, is a form of this. It can't be broken one character at a time, but it is split into two seven-character chunks — which makes it vulnerable to simple lookup tables or plain brute force. For exactly this reason it was partially phased out in XP (maintained only for backwards compatibility with NT4 servers) and completely removed in Vista. ^note
- Wifi Protected Setup has the same mistake: it splits an eight-digit number in half, checks the first four digits, then checks the last four. Because of this and another mistake, it turns what should take 100,000,000 guesses into something that only takes 11,000.
A bug in Windows 95/98/Me allowed an attacker to discover passwords for shared folders and printers in a very Hollywoodian way. Not that it needs to guess all of the characters in the first place.
One old operating system allowed user programs to handle their own paging, swapping pages of memory in when not already present. The password verification algorithm on this system only read characters from the supplied password until the first character which did not match the correct password. Thus, a program could place a password such that the first unknown character appeared at the end of a page, with the next page swapped out; if the password verification read past that character, the program got asked to page in the next page, and it knew that character worked. Repeat for each character of the password. The fix, as in most cases, involved changing the password verification algorithm to always read the entire password, regardless of whether it matched or not.
A significant number of poorly-designed cryptographic systems are vulnerable to attacks that work one character at a time, trying different characters in a position before moving to the next. This is often due to programmers who don't understand the difference between authentication and encryption. Most often, it is caused by a programmer using an encryption algorithm (designed to protect data from being read) to solve an authorization problem (where you want to protect data from forgery). This can also happen if a programmer designs a new authorization technique rather than using HMAC or an asymmetric key algorithm.
There exists a password script for personal home pages known as "HpbChkPwd", ostensibly from IBM Japan's Home Page Builder software, which can be cracked via a Password Slot Machine. The client side can see an "encrypted string" and a JavaScript verification function. Analysis of the function shows that each character in the encrypted string is affected by only one character in the password, and also reveals some clues as to what the decrypted string should look like. Thus, cracking the password is a matter of locking in one character at a time in the password, and not even necessarily starting from the first or last character. By the way, if any would-be black-hat script kiddies are reading this, some crucial details have been left out a la MythBusters. However, password-protecting webpages using Javascript alone is technically weak and can easily be subverted anyway.
"CRIME" exploit of two common security protocols. A text with two matching parts compresses better, thus if an attacker can supply one part and the rest is fixed, a short text can indeed be picked character-by-character, through varying the crafted part and looking which ones cause the compressed message length to drop.
The Daily WTF had one example of a password system coded like that.
A flaw in the WPA PIN mechanism (which allowed people to recover the password for older wifi devices) meant that it was possible to confirm if the first half of the PIN was correct, making it trivial to brute-force.