Now the problem with password is that: it can broken using brute force attack.
Not necessarily.
It's possible to mitigate bruce-forcing of passwords such that it is practically impossible to brute-force them. It requires mitigation in the system, but it also requires that the password is secure too.
When an encryption scheme derives its key from a password, it does so using a derivation function, which takes the password as input and generates a sufficiently long key string from it. A simple example of a derivation function is just a plain hash function, like SHA-512 or Whirlpool. Such a derivation function is easy to brute-force, because it runs very quickly and doesn't use many resources, so you can run it millions of times per second in order to try millions of possible passwords a second. Running on a GPU can extend this to hundreds of millions of passwords tried per second because it can be calculating many hashes in parallel.
But encryption schemes like the one in Veracrypt use a derivation function that is difficult to brute-force, because it requires a lot of computing time and resources. For example, instead of running a SHA-512 or Whirlpool hash over the password once to derive the key, it runs that hash function over and over again, thousands of times, each time feeding the output back into the hash function again. Veracrypt does this at least 200,000 times, and up to around 650,000 times. When brute-forcing a password, you would have to run the hash function that many times, just to attempt a single password. It reduces the number of passwords you can brute-force per second from, say, 1 million passwords per second down to maybe 1.5 (one and a half) passwords per second. This all but kills the ability to brute-force. GPUs would still be able to do it faster, if they work on many different passwords at once, but you still get around 1/650,000 the ability to brute-force.
Which brings us to password length. If your password is short or trivial ("12345" or "hunter2"), it's trivial to brute-force it no matter what. Passwords need to be long and unpredictable enough that they are unlikely to be discovered within the first billion attempts in a brute-force. The good thing is that every character you add to your password multiplies its resistance to brute-forcing significantly. If you have a 20-character password that is not predictable (eg random letters with numbers), it's going to be practically impossible to brute force. Coupled with Veracrypt's brute-force mitigation which slows down the ability to brute-force by hundreds of thousands of times, now a 16-character password is just as secure. And even a short password eg 10-12 characters will probably be unfeasible to brute-force - that is, it may still not be discovered after months or years of attempted brute-forcing.