We have two different protections for "brute forcing":
1) Our servers accept at maximum 10 wrong credentials per minute in the logon process. If an attacker tried more than 10 wrong credentials within a minute, he has to wait until the next minute.
2) If somebody would somehow have gained access to your encrypted keys, he needs the password key to decrypt and use them. The password key is not directly your password, but rather a derivation from it. We're using a function called PBKDF2 (http://en.wikipedia.org/wiki/PBKDF2) with HMAC-SHA512 and 10.000 iterations to derive the password key from your password. This slows down brute force attacks from millions of different passwords to only a few thousands (depending on the attacker's hardware). This makes brute force attacks unusable because brute forcing an average password would take MANY years.