This page catalogues a set of tricks and tips useful when evaluating and picking locks more complicated than the standard 5 or 6 pin Kwik.
Before using these methods, try to identify the specifications of the lock and any modifications which may have been performed using social engineering or out-of-band methods. Google the manufacturer (often listed on the key) and try to find the model of the lock. If you strike out when doing background research, these tricks will come in handy.
Pin and Tumbler Tricks:
Identification of Pin Stacks:
An easy way to determine the number of pin stacks in a given lock is to use the flat side of a half diamond pick. Place the pick all the way into the back of the lock and raise it to the top of the lock. If you don’t feel squishy (pin) resistance, it’s possible that you are catching on some lip at the back of the lock.
This is normal, slowly back the pick out of the lock until you feel a spongy or springy resistance. Continue slowly backing the pick out of the lock, and an audible click should be heard as each pin drops. Count the number of clicks to determine the number of pin stacks.
Detecting and Defeating Security Pins:
If the circumstances allow it, the best way to detect security pins is to disassemble the lock. This is rarely the case, but if you are able to disassemble the lock, take care to use a plug follower so you don’t have driver pins springing away into oblivion.
More likely, the client will not want you to disassemble the lock. In this case, the most common security pins can be detected by feel. Begin single pin picking the lock, working through binding pins. If after picking any single pin stack, the plug noticeably turns (> 10 degrees), pause for a moment. This state is called a false set, where the pin gives a similar feedback to a binding pin which has been set, but is not actually in the set position. Play with the tension on the lock; if the plug gives a bit with a force pushing back towards neutral, it is likely that there are mushroom or spool security pins.
To pick past these security pins, find the binding security pin which caused the false set. This can be done by lightly pushing on each pin in sequence. When lifting a pin causes the plug to rotate back towards neutral, it is likely to be the spool or mushroom pin. Slowly reduce tension while lifting the pin until the binding pin lines up with the shear line. Then continue picking as normal, repeating the technique for any other spool-type pins.
Detecting serrated pins is more difficult, but can still be done without disassembly. The dead give away for serrated pins is when you set a binding pin, but the plug doesn’t move at all. Not even a tiny amount of movement. Additionally, when you scrub back through the rest of the pins, none of them except the previously bound pin are binding. This is because serrated pins often have to be lifted multiple times to clear the various serrations before they stop binding and actually align at the shear line. To bypass these pins, you must use very light tension while lifting the serrated pin.
A frequent question from novice lockpickers is which way to turn the plug. For padlocks, they almost always open when turned clockwise. For built-in locks on door handles, they almost always turn counter-clockwise.
Deadbolts are a toss up, it really depends on the internal locking mechanism.
Upside Down Driver Pins:
You’ve successfully picked a lock and are happily turning the plug when at 180 degrees, your progress is blocked! Don’t panic, odds are you haven’t broken the lock. Take a look at the top of the lock, do you see flat pins?
Odds are that the driver pins were not carried with the rotation of the plug and have now dropped back into the original pin stacks where the key pins usually sit, blocking further plug rotation. To fix this, take a flat object (the back side of a half diamond pick works well) and press it up against all the flat driver pins at once. You should be able to lift them back into the top of the pin stack and continue turning the lock.
Wafer locks are relatively easy to identify. The “pins” are actually disks (wafers) with rectangular cutouts in the center. As a result, from the outside of the lock, the “pins” will look very square. You may be able to see these square blocks on both the top and the bottom of the lock. 99% of all wafer locks are very insecure, the manufacturing tolerances are much more lenient, and they can almost always be raked. There are some exceptions, look up the manufacturer to be sure that they don’t produce specialty wafer locks with many disks or other security features.
Wafer locks can be a big pain to tension properly, sometimes requiring a wishbone tensioner or other specialized tool. In a security engineering engagement, you probably have the key to the lock. Instead of bothering with a specialized tool, simply apply pressure to the cam protruding from the back of the lock directly. It’s much easier to get light tension this way, and there is less to block your picks.
The pins of tubular locks will be aligned in a circle. They operate exactly like a pin and tumbler lock with a driver and key pin stack, they are just located circularly. They come in 6, 7 and 8 pin variations. Typically the diameter of these locks will be standard if they are intended for American audiences, but European or Asian countries utilize varying standards of diameters. This is important when selecting a specialty tubular lock pick.
These locks can have security pins which can be dealt with in the same manner as described in the pin and tumbler section. An additional security consideration for tubular locks is if they utilize variable spring resistance. This is a technique used to prevent specialized tubular lock picks from easily bypassing the lock.
This device has two purposes. For a regular tubular lock without security pins or variable resistance, this tool can be used as an impressioning device to slowly pick the lock. This method won’t work if the lock has pins with variable resistance or security pins.
For locks with security pins or variable spring resistance, this can be used once the lock is picked to emulate the key, preventing an attacker from having to pick the lock multiple times.
Loosen the collar on the front of the pick. Move each of the feelers individually, verify that they can move smoothly and freely without any substantial resistance. Use the washer to push all of the feelers beyond the end of the pick’s tip. Place the tip face down on a flat surface and push down so all the feelers are aligned at the very edge of pick.
Lightly tighten the collar on the front. The emphasis is on lightly, it should just barely catch the threads.
Align the lock pick with the front of the lock. There should be one part of the lock pick which doesn’t have a feeler, align this blank area with the key tab of the tubular lock. Push the lock pick all the way back into the lock, keeping the pick perfectly orthogonal to the lock.
Using your thumb and forefinger, continue applying inwards pressure and gently rotate the pick left and right. If successful, the pick and plug should rotate more and more as the process continues until the lock turns. If the lock doesn’t turn after around 20-30 turns, reset the pick and try again.
Once the lock turns, stop all motion immediately! Tubular locks will not turn freely once picked, they will lock again while the locks turns as each pin falls into the adjacent pin stack. Carefully remove the pick from the lock and tighten down the collar aggressively. Reinsert the pick and turn the lock back into the fully locked or unlocked position.
The pick will now serve as a key for the lock and the depths of the feelers can be used to cut a new key if necessary.
Half-Picked Tubular Locks:
You happily picked a tubular lock, but weren’t quite quick enough and continued turning the plug after the lock was picked. Now the lock is stuck at a middle point, where the original key won’t fit into the lock. Keep calm and continue picking! Essentially all the driver pins have moved one pin stack over.
As a result, there will be one dead pin (detectable as an absolute rock, no springiness at all even without any tension). Ignore this pin and pick the lock as usual, this time being extra careful not to turn the plug once the lock has been picked. Use an impressioning tool as an intermediate key once the lock is picked to restore the lock to working order.
Hopefully you learned some nifty tips and tricks to improve your lockpicking game! If you’ve never tried picking tubular or wafer locks before, get out there and try your hand. There is a wealth of locks available for bottom-dollar on Ebay and other auctioning sites. Keep an eye out for auctions of locks without keys which can often be had for a steal.