I agree with Schneier's quote, but you're also forgetting about password hashing. If it takes 10 seconds to derive the key (assuming the use of a strong hash function), anything with a good enough amount of entropy (60-90 bits) should be fine.
When an attacker acquires a leaked database, they're not cracking high entropic passwords.
Yes, what speaks for dheera's method is the use of a strong KDF and especially (a point that I missed initially) that they use a truly random master password.
When an attacker acquires a leaked database, they're not cracking high entropic passwords.