How secure is a Veracrypt encrypted Windows system partition with a PIM value of 1

Topics: Users Discussion
Aug 25, 2015 at 6:56 PM
Edited Aug 25, 2015 at 7:21 PM
Well, you are safe, unless of course your 20 character password is predictable (using known words, etc). I think with 20 character password you should not be concerned about the PIM value at all.

Lets do some math.... my laptop keyboard has 48 character (symbol) producing keys... i have just counted them..... lets assume that your password can be entered by these keys and you are not the paranoid type who is using special characters that are not possible to be entered by a simple keystroke or a keystroke while holding Shift. I believe 99% of the users will be using passwords, produced by these 48 keys (this number can vary on different keyboards, but will be more or less the same), making the total possible characters used in a passwords to be 96 (48 simple keys + 48 shift keys). Those who use other special characters, produced by Fn/Alt key + codes need not read any further, they will anyhow forget their passwords and/or keyfiles soon or later LOL.... For the normal paranoid users, 20 characters password, made of these 98 keys, will amount to 96^20 combinations, or if we want to get some more meaningful number, we will get the entropy in bits, which will be equal to log2(96^20)= 131,7 bits.

With almost 132 bits under the belt, i think everyone is safe....

p.s. still, with pim=1, you will be performing 16000 iterations, upping the "bits" to 145,7.... meaning that in case someone is bruteforcing your password , he will need to perform 145,7-1=144,7 bits operations on average.

p.p.s. lets do some more funny math based on pim=1.... lets assume that someone is extremely lucky and finds your correct password within the 1 millionth percentile of tries.... meaning that he will bruteforce your correct passwords when he has tried only one millionth of all possible combinations..... its really a bad luck for you..... and lets make your life even more miserable and assume that this guy performs one trillion combinations per second (as Snowden suggested to be eventually possible).... and to make things really nasty, lets assume that this guy has a team of one million fellows/computers with the same power..... what a Monsterous setup...... so then what do we have:
C=2^145,7 / 1 000 000 / 1 000 000 000 000 / 1 000 000 / 60 / 60 / 24 / 365 / 100 = 22975435982 centuries to brake your password :) I hope i didnt make a mistake, as the result looks "suspicious", even to me :)
Marked as answer by PicoVX on 9/1/2015 at 1:45 AM
Aug 27, 2015 at 8:53 PM
Check the entropy of your passwords here:

The timing might be faster than what their prediction is if you use specialized ASIC stacks but it shows nicely how extending the password just a little takes the amount of combinations through the roof.