A _random_ 16-character password from all character types can't be brute-forced. A password made from common dictionary words, with numbers substituted in with l33tsp3ak, and an exclamation mark on the end, is a different story. Passwords like that would be sitting in precomputed hash lists already.
Ah, we both went on a tangent. The password in question is to the twitterer's LastPass vault, and so a precomputed hash list would be of no use, and since it's an encryption key and not a hash, there is nothing to salt.
I suppose the point was more that faced with many users' LastPass vaults there are more likely and less likely keys -- but they'll still have to try the keys.
