(Fabio Alessandro Locati|Fale)'s blog
On photographing physical keys
February 28, 2025
Every one of us probably has some physical keys in our pocket or purse right now. This familiarity with this common object might make us forget about how the security of those objects actually works.
I see pictures of keys shared very often in groups or on social media. Sometimes this happens because a set of keys has been found somewhere, and the person uploading the picture is trying to help their owner to identify their keys. Other times is simply a picture where the keys are not the subject, but are casually in frame.
This apparently riskless action can be very dangerous, since this brakes the security of the pictured keys.
The core problem with this is how a key works. A key has a number of teeth that will match the pins in the lock. If the pins in the lock match the key teeth, the locks open.
If we look a little deeper, though, we need to understand what it means for key teeth and lock pins to match. The way it works is that the pins in the lock are of different lengths and are raised by the key. When the lock is closed, the tops of the pins are not aligned, preventing the lock from turning. If the right key is inserted, the tops of the pins align, and the lock is free to turn. This is the only thing the key does.
Since the number of pins is limited (often 4 to 7) and also their heights (usually 5 to 10), the key can be thought of as a PIN. Some keys have a number in-print on them, and that is usually the positions of the various pins of the lock that is opened by the key. And, more precisely, a PIN that has the number of pins as the number of characters, and the variability of those characters is the same as the possible heights of the pins. For example, a lock with 5 pins and 5 possible heights (a very common combination for padlocks) has a theoretical maximum of 3125 combinations. The real maximum is lower, since some combinations are not used because they would make the lock too complex to use or too easy to force.
There are a couple of lateral stripes on the key that can be in different positions. If they are not in the correct position, the key will not enter the lock. The lateral stripes, though, are usually the same for all locks of a certain maker and model, and often also the same across different models of the same maker, so it is more a convenient feature for finding the right key in your set than a security feature.
The additional issue is that nowadays, the cameras we have - even in our smartphones - have tens of megapixels, which makes it very easy to “read” the key from a picture, even if the key is not the main subject.
Once a key has been decoded, the only remaining step to obtain a working key is to shape it to match the now-known pin height sequence. To do so, you can go to a keymaker, who will have no issue creating a key from that information and the lock’s make and model (or the lateral stripe information). Obtaining a key from a keymaker is very straightforward, but it could leave tracks, so it could be suboptimal for people with nefarious reasons or people. An option to avoid the keymaker is to buy a virgin key in many stores (including Amazon) and learn to craft keys, even with simple tools. Another option, even easier nowadays, is to simply use a 3D printer, start with one of the many online models, encode the combination, and execute the print. It is also possible to find tools online that provide the maker, model, and combination of the lock; they will generate the exact 3D model for you, and you simply have to print it.
Although I spoke only about the pin-based locks, there are different kinds of locks, but their basic functioning model, and therefore security model, is the same or differs very slightly. Although some keys have additional security features that make them more resistant to similar attacks, the risk of a serious compromise is very high.
So, my general suggestion is to handle physical keys the same way you would handle any Credit Card PIN if it were written on paper: keep it in your pocket as much as possible, and definitely do not photograph and post it online!