If you use a 128 bit, 256 bit, ect... encryption but only have a password that is, say, 20 characters long, doesn't that mean that in order to decrypt a system, an attack should be launched at a password? If this is the case, why does bit length matter?