[This article](https://blog.elcomsoft.com/2020/05/unlocking-bitlocker-can-you-break-that-password/) from Elcomsoft addresses the different ways to secure a system with BitLocker. They list various security models, ranging from password only, TPN only, to TPM + pin, TPM + usb key or TPN + PIN + USB key.
Most enterprise users probably use the TPN-only model. The same with many private users.
Those who want a little better security like to use TPN + pin, or even better, TPN + password (enhanced PIN).
It may seem that if you use TPN + PIN, TPN + password, TPN + USB or TPN + PIN + USB, the only possible step for an intruder will be to try to attack Recovery Key.
If you compare BitLocker with other encryption solutions such as VeraCrypt or BestCrypt, BitLocker is the only solution that requires a Recovery Key.
I’m wondering if this is a vulnerability in BitLocker.
This key consists of 48 numbers. These numbers are divided into 8 groups consisting of 6 numbers. Each of these groups consists of a digit that must be divisible by 11.
It goes without saying that an attacker will have to have a powerful system to crack a Recovery Key, if that is at all possible.
This makes me think that maybe it is “easier” for an attacker to attack a Recovery Key because the attacker knows the exact length of the key, that the key consists exclusively of numbers and that each group of 6 numbers must be divisible by 11, compared to a system without a Recovery key, where where the attacker is not familiar with the length or composition of the password? The attacker must then throw out a much larger net to crack the password.
Microsoft could have avoided this by making the key consist of, for example, a password of random 48 characters.
Is this an actual vulnerability of BitLocker, or are the number possibilities of a Recovery Key so large that it will not be cracked with a targeted attack?