I don't think this is the correct takeaway from the situation. * What matters is not the length of the password ("20 characters") or included character groups ("letters, digits and symbols"), but its entropy. In particular, obfuscating a word with some digits or symbols does not really gain much. * A slow or memory-hard key derivation function is a band-aid, not a fix. Making hashing harder slows down the attacker linearly. Choosing a longer passphrase slows them down exponentially. * The victim used "Ubuntu 18". This is quite an old distribution and while still in extended support, many packages are not receiving proper security patches any more (IIRC, only "main" is fully supported, while the situation in "universe" is quite bad). It is quite likely that the machine was compromised at runtime.

So my takeaway would be: * Use a proper passphrase. The diceware method with 10 words is a good choice, giving you slightly more than 128 bits of entropy. The KDF does not matter than, it could even be a simple SHA-2. * Always use well-supported software, and do not skip updates. Do not install unneeded software, particularly on machines processing high-risk data. * In addition, make hardware-based attacks harder, particularly if you're a member of a vulnerable group. Check that nobody is watching you while entering the passphrase. Do not leave your computer unattended, especially when turned on or in suspend-to-RAM. Only buy computers in person, and do not use computers returned from police.