Well it sounds like you are talking about blockchain.info. With bc.i anybody can get at the copy of the wallet. All they need is the wallet identifier. Once they have the copy of the wallet they can brute force it at leisure. Doesn't matter how many passwords you have. So you should use a desktop client like electrum or armory.
People who haven't worked on password cracking have this quaint notion of running a little dictionary file through a program... and this would have been accurate in 1990 for someone cracking at your unix-crypt uni shell account. Today the tools are significantly better and have been refined through the disclosure of hundreds of millions of unencrypted passwords and the same kind of statistical tools that power speech recognition and automatic human language transaction. This statistical intelligence gets backed up by the brute force of GPU and FPGA clusters that can try hundreds of million or even billions of attempts per second.
https://bitcointalk.org/index.php?topic=311000.msg3346715#msg3346715Yeah I was mainly talking about blockchain, because I wasn't too sure on the specifics of if they attacker would also need the secondary password to send out funds...but with a copy of the backup, it doesn't seem like they would need the secondary password