Don't they just do a brute force attack?
Unless ElcomSoft have changed their software significantly, its approach to cracking the actual backup password (the 'iPhone Password Breaker') seemed to be that of a brute force attack (with a few attempts at shortcuts). This new feature just seems to then go on to decrypt the data that represents the on-device keychain (NB. 1Password uses its own data store. Though we have no real way of knowing if it's any more secure.)
My understanding of iPhone/iPod touch backups is this: If you apply a password to the backup of the phone (in iTunes, it's an option when the phone is plugged in) then this is used to encrypt the phone's in-built key (the one that is actually used for the encryption.) Further, the device does the encryption of the data on the way out when being backed up, and it only provides the key encrypted with the user's password from thereon (which is why you can't remove a password once you've set one, without wiping the phone with a full restore.)
I suspect, if you have a copy of the key on disk from before you set a backup password - e.g. in an earlier backup (from a restore point, or via TimeMachine maybe), then it's straightforward for ElcomSoft's 'iPhone Password Breaker' to decrypt your backup. Otherwise it has to crack it the hard way (still not too hard if you used a dictionary password or something a few "st3p5" away.)
None of this prevents just copying the data out of the device directly, per previous reports, if you actually have access to it (perhaps they've fixed that with iOS 4, and/or iPhone 4. There haven't been any attention-grabbing reports about it yet.)
Can any one corroborate, expand, or correct?