Came here to say this. Truecrypt certainly uses a Password Based Key Derivation Function (PBKDF) which greatly slows down the speed with which passwords can be guessed. You should expect a well funded attacker can guess trillions of passwords per second. A quick search reveals a cluster of 25 AMD graphics cards got up to 348 billion passwords per second, and the best card in their cluster was a 7970 not even any 7990. I think the cost of that must have been no more than about $12,000 since several of the cards they used are fairly old. It seems to me that they are making exponential gains in password cracking technology because the last time I looked into it the commercially available solutions were guessing about twenty billion passwords per second but now I find people making their own clusters getting into the hundreds of billions. PBKDF slows down such attacks depending on how many iterations the PBKDF is set to use. Cracking a password created with PBKDF with 10,000 iterations takes 10,000 times as long as cracking a password with no PBKDF iterations. So if an attacker can guess 1 trillion hashes per second they can only guess 100 million passwords created with PBKDF with 10,000 iterations. The problem with PBKDF is the more iterations there are the slower it is for a legitimate user to obtain their key with their password. If the user was willing to wait sixty seconds after typing in a password before anything happened, we could add more and more iterations and more and more security for the user. I think in the future the best option is to let the user set their own number of PBKDF iterations, so they can decide the trade off they want to make between ease of use and security. For most applications they try to make it so the user cannot even notice a delay from PBKDF but that it adds up to a big delay when someone tries to guess trillions of passwords. If a user was willing to wait for 100,000 password iterations on whatever CPU they have, the password cracker that can guess 1 trillion hashes per second would only be able to guess 10 million passwords a second. There are techniques for using RAM to limit password attempts as well.