For the Header Keys (which I believe this is what the attack is going after - as that is what the password unlocks), TC does use a Salt. See [0]

And for slow hashing schemes that is a fair point, but when you're looking at file decryption, there is nothing to stop parallel attempts happening at once on different machines. Also TC does support using cascading ciphers which can help to slow it down.

Note: I'm not an expert in Cryptography by any means, but this is my current understanding.

[0] http://www.truecrypt.org/docs/header-key-derivation

It says they are only doing 1000 (or 2000) hash iterations to derive the key, and it seems like it is too few iterations to be much of a brute force deterrent these days. I would have expected something like 100000 iterations, or 1 second or more of calculation time on a modern CPU.

A good system uses a key stretching function, not a hash. (For the same reason we don't call a MAC a hash, we don't call a key stretching function a hash.)

I don't know cryptography in any depth, but I'd think a good password encryption scheme uses a slow function. A good disk encryption scheme needs to be fast to be usable, thus the security becomes much more dependent on choice of passphrase.

No, this isn't accurate.

The key that is used to decrypt the hard disk is stored inside an area that is encrypted with the passphrase and/or keyfiles. That may use a different algorithm than the actually OTF encryption to the rest of the disk. Thus, you can use a short key with a LONG hash time and protect a LONG key with a short encryption time and voila.

I mean, that's how this service works anyway; you send it the volume header and it attempts to crack it. If it can read the contents of the header, then you can read out the key used to encrypt/decrypt the volume itself.