It comes back to motivation. Few would consider it worthwhile to hack into a teenager's website, but obviously it is a different matter if we are talking about your bank account. As I say, if money or its equivalent is at stake then someone will be motivated to crack the obfuscation.
I have never understood how a hacker can try millions of combinations. He must not only find the right password, but test that (and all) password(s) to see if it works. Even at one second per try you can only test 3,600 an hour, 86,400 per day working full time. The rate at which an attacker can submit guessed passwords to the system must be a constraint. A password of 10 characters will take over 19 years to crack at a 100-billion-guesses-a-second effort to break the encryption.
In short, and as you say, is it safe enough for practical purposes? Yes.
Of course, the password must be unguessable. I understand that if I know the names of your wife, children, pets and football team then I have a 40% chance of guessing your password correctly.