Actually the quantum Grovers algorithm would result in it sometimes making more sense to attack the key directly than attacking the password, since it halves the key space of the symmetric key (turning AES-128 into AES-64, which is hopefully easier to break than many passwords). But I think direct attacks on the key only make sense in the quantum rather than classical world.