Anyone in the world could crack your password. (Well, any of 2.5 billion people with an internet connection.) Requiring a physical key instead cuts the attack surface down quite a bit. If you can secure your car and house keys, you can secure this.
You use it much more often than those keys. And really people don't care abou being pirated by a stranger. Theyvcare about their spouse leeaning you still talk to your ex. Or your sibling getting a picture of you that is embarassing.
I think you should elaborate on the specific threat model you're describing. Are you assuming a dumped database? Or are you talking about a brute force against an online service?
That is exactly the question a user should ask themselves. I can't answer it for anyone else. But for your two cases, the key is more secure because there is no relatively short password that can be guessed. An attacker has to brute force the cryptographic key, which should be infeasible. Passwords are easier to crack online or offline, unless you've picked a password with 112 bits of entropy.
>brute force the cryptographic key, which should be infeasible.
Not only infeasible - physically impossible, in fact (barring quantum computers). Just 128 bits of entropy would take 1e16 (10 quadrillion) years to brute force at 1e15 attempts per second. :)
