I found a massive Key Space Reduction Attack on locks sold by Home Depot. The flaw lies in their procurement process, rather than the locks themselves, and enables an adversary to reduce the possible key codes for locks based on the time of shipment, identified by the approximate time of install. For commercial settings where building permits indicate construction time lines, this can give a significant advantage to an attacker in that he may use an actual key and not leave a trace. The flaw is caused by the Home Depot’s processes, not their lock vendors who have urged them not to refuse randomization.