I guess am a bit of a paranoid ha... anyway i encrypted my HDD with truecrypt using all printable ASCII characters and the password is 64 characters long. It is quite random, certainly no dictionary words but it is still possible to memorize easily.

Can it be brute-forced? The thing is, i know that its supposed to be secure, but isn't there a chance that someone can just guess the password after like 10 attempts?

Surely that possibility exists. Sometimes lightning strikes as they say.


The short answer is: NO!

No security measure is safe on its own, as it may contain bugs/vulnerabilities/etc. It might withstand a single method (e.g. brute-forcing) for circumventing the protection, but there might be a combination of methods that it may not be able to handle.

Truecrypt was (or, still is?) vulnerable to "Cold boot attacks":

Passwords stored in memory

TrueCrypt stores its keys in RAM; on an ordinary personal computer the DRAM will maintain its contents for several seconds after power is cut (or longer if the temperature is lowered). Even if there is some degradation in the memory contents, various algorithms can intelligently recover the keys. This method, known as a cold boot attack (which would apply in particular to a notebook computer obtained while in power-on, suspended, or screen-locked mode), has been successfully used to attack a file system protected by TrueCrypt.

Additional reading on "TrueCrypt Security Concerns".


Actual actual reality: nobody cares about his secrets.  (Also, I would be hard-pressed to find that wrench for $5.)

If you have all ASCII characters, quite frankly, it is possible still - but highly unlikely.


According to http://howsecureismypassword.net/, it would take roughly 314 trigintillion years for a normal desktop computer to crack your password. That's several orders of magnitude greater than the time left in the existence of the Universe. I think you're covered on the brute force front.

Just for fun:

1 trigintillion = 1,000,000,000,000,000,000,000,000,000,000,
                  000,000,000,000,000,000,000,000,000,000,000
                  000,000,000,000,000,000,000,000,000,000

At work, we deal with hard drive encryption on a daily basis. The truth is, the kind of encryption you have on your drive are probably very sufficient for a home user. I have that same feeling of being paranoid with all my data, and truecrypt satisfies me.

However, true encryption for hard drives has to be at the hardware level. Looks for Stonewood drives (Flagstones) on the net. They offer full hardware encryption with a maximum of 5 attempts before locking out, then 5 more before completely destroying the drive according to government standards.


In response to "Can it be brute-forced":

There are 95 printable ASCII characters (including space), so there are 9564 possible 64-character passwords. That's 3.75 x 10126, which is over 420 bits of security. In comparison, 128-bits is considered secure from brute forcing for an AES key, and 265-bits is enough to assign a different value to every atom in the visible universe.

Assuming your adversary has a botnet of 10 billion computers (1000x larger than the largest known botnet), each of which can check 1 billion passwords per second, the expected time to find your password by brute-force would be 5.87 x 1051 years - that's 45 trillion trillion trillion times the age of the universe.

So yes, your password is absolutely secure from brute-forcing. In fact, assuming you are using AES-256, your 64-character password gives you no extra security over a 39-character password, because after that point it would be faster to just brute-force the key.