[NovemberWhiskey]

If your password is 22 randomly generated characters chosen from the alphabet of upper and lower case letters plus numbers (which implies ever-so-slightly-less than six bits of entropy per character) then you will get 128 bit security from one of these devices - meaning that an attacker will just as well have to brute-force the cipher as attack the password. And, as you said, that is currently believed infeasible.

If you are a human being, your password is more likely to be a single English word or name with some arbitrary capitalization, some swapping out of o/0 a/@ s/$ t/+ or some such, and then a number tacked on the beginning or end.

At this point, brute-forcing your password is going to be a much simpler proposition; you're reliant on a key-derivation function being sufficiently expensive to compute to slow down that brute-force attack.

The attack in this case was of the latter kind; the KDF was so poor that it could be attacked very quickly. No 128-bit encryption was harmed in the filming of that presentation.