Not that it's that big of a barrier, but it can be somewhat daunting to new password crackers.
https://news.ycombinator.com/item?id=15246145 <- Show:CoinHive
(All 40+ comments within the past ~2 months)
I also profiled the code trying to discover possible optimizations, and found that the code has been heavily optimized. Computation and data transfer are well overlapped, so GPU utilization is pretty high. It's a really great tool.
If he was able to crack any random bitcoin wallet, I don't think he'd be sharing it on this website.
I think the scenario here is that he had an encrypted wallet file that he didn't have the password for. In that case, cracking it is only as hard as the password (in other words, relatively easy if he remembers the enough about his password).
Full details at https://hashcat.net/forum/thread-6965.html
Additionally, you can always generate GPG keys on your machine, transfer them to the YubiKey, and then delete the keys from the local machine. It depends if that's an acceptable exposure for your threat model, but for me, having the keys locally for a couple minutes is fine.
That way I don't have deal with different subkeys and other complications that just makes everything hard to understand :)