**We recommend you change the passphrase of your Persistent Storage and other LUKS encrypted volumes unless you use a long passphrase of 5 random words or more.**
In all encryption technology that protects data on a disk or USB stick with a password or a passphrase, an attacker can try all possible combinations until they guess your passphrase and unlock the encryption. This type of attack is called a *[[!wikipedia brute-force attack]]*.
Some cryptographic parameters can also make each guess of a brute-force attack slower and more expensive, for example by having to do some complicated calculations on each passphrase before being able to try to unlock the encryption with the result of this calculation.
Over the years, computers become faster and cheaper. Encryption technologies regularly upgrade their parameters to find a balance between making encryption fast and usable by users while making brute-force attacks as expensive as possible for attackers.
Strong encryption parameters *combined* with a strong passphrase make brute-force attacks so slow and so expensive that they are impossible to do in practice. For example, a brute-force attack is impossible to do in practice if it would take thousands of years even with the most powerful supercomputers.
Until Tails 5.12 (19 April 2023), Tails created LUKS devices version 1 (LUKS1)with PBKDF2 as *key derivation function*, a calculation run on the passphrase before trying to unlock the encryption with the result.
Some cryptographers think this weakness might have already been [used against an activist in France](https://mjg59.dreamwidth.org/66429.html) but the actual operations by the French police are kept secret.
<table> <tr><th>Tails version<br/>when encryption was created</th><th>Release date</th><th>LUKS version</th><th>Key derivation function</th><th>Strength</th></tr> <tr><td>5.12 or earlier</td><td>19 April 2023</td><td>LUKS1</td><td>PBKDF2</td><td>Weak</td></tr> <tr><td>5.13 or later</td><td>16 May 2023</td><td>LUKS2</td><td>Argon2id</td><td>Strong</td></tr> </table>
We estimated how much electricity it would cost to guess passphrases of different strengths. As we recommend for the Persistent Storage, we evaluated passphrases made of several random words.
<table> <tr><th>Passphrase length</th><th>PBKDF2</th><th>Argon2id</th></tr> <tr><td>3 random words</td><td>$0.1</td><td>$100</td></tr> <tr><td>4 random words</td><td>$1 000</td><td>$1 000 000</td></tr> <tr><td>5 random words</td><td>$10 000 000</td><td>$10 000 000 000</td></tr> <tr><td>6 random words</td><td>$100 000 000 000</td><td>$100 000 000 000 000</td></tr> <tr><td>7 random words</td><td>$1 000 000 000 000 000</td><td>$1 000 000 000 000 000 000</td></tr> </table>
These numbers are very rough estimates but give an idea of what length of passphrase a very powerful adversary like a state-sponsored attacker could guess.