4-dial combination padlock: Is it more secure to zero it out or to blindly spin the dials after locking?
I would recommend setting it to 0000 or some other specified combination (doesn't really matter what).
"Mashing around the dials" is a little vague, but I would guess based on my own behavior that people would tend to move most or all of the dials at once, which would create a strong correlation between the current combination and the lock combination. For instance, if the lock combination is 1234, someone might change it to 5678 (probably not exactly, but close enough that an attacker could prioritize the combinations they try).
Humans also have a tendency to think some things seem more secure when they actually weaken security. Someone may try to set it to a combination that seems "further" from the lock combination, such as changing 1234 to 6578 instead of 2142 because 2142 is too "close" to the lock combination. This could allow an attacker to prioritize the order they attempt combinations. Specifying a constant value to set it to avoids such issues.
In theory zeroing or any predetermined sequence is more secure as you could, in theory make a guess at how far someone might move the dials.
It is also conceivable that if you were able to check the state of the dials when locked on enough different occasions then you could narrow down the likely combination if it is being reset in a similar manner each time.
In practice this is probably a bit far fetched and anything with a combination lock probably has larger concerns eg the combination being known by too many people or the fact that any number between 1950 and 2018 plus the birth years of moderately famous people is probably a fairly good guess.
Having said that there may be operational advantages in having combinations set to zero as it gives a clear unambiguous guideline and it is easy to visually check that the lock is secure without the person doing the checking needing to know the combination, especially if actually physically checking that the lock is closed is problematic eg opening it sets off an alarm. You could also argue that adding the extra step of zeroing creates more of a routine and so makes it less likely that people will forget to set the lock at all, although this is admittedly debatable.
For example if you have a night security guard you could just ask them to check that all locks are set to 0000 which is both easy to do and verifiable.
It also gives an (admittedly weak) check that the locks haven't been tampered with, here a more arbitrary sequence would be better.
For example if you set all your locks to 2375 when you leave and the sequence is different when you get back you know that someone has been messing with them.
You should also be aware that some types of combination dial lock are very trivial to pick as you can often feel when each dial engages by quickly cycling through each dial or by probing from the outside. Equally a 4 dial lock only has 10,000 (10^4) possible combinations and you can often systematically go through combinations very quickly.
It does not matter.
A lock can provide three forms of protection:
- Delay an attacker from accessing a resource so that they can be interrupted and stopped
- Provide evidence of tampering
- Dissuade a would-be attacker from attempting an attack
As discussed throughout answers and comments, it fails to do much in the way of delaying an attacker. The lock can be easily cut with a tool, like this $10 pair of bolt cutters. It can be easily picked with a tool, as CGCampbell's comment points out.
The ease with which it can be picked also limits its effectiveness as tamper evidence. Other answers point out that it can be fairly easily defeated even without a picking tool. So it really fails on that, as well.
This leaves its only value as the psychological benefit. It communicates that the valuables inside are not meant for unrestricted access, which dissuades people whose sense of morality or the fear of being caught will prevent them from attempting at all.
What the dial sits on thus has nearly zero relevance to its defensive capabilities. As a result, you'll need other defensive mechanisms to achieve your security goals if they include anything beyond the psychological influence. Surveillance (video or in person) would give you tamper evidence much more reliably if that's what you need; if that's not viable, there are other means of achieving it. Other means of protection are required if your intention is to protect it from determined attackers.