Threat models Offline attacks Decent hash type Proper password stretching settings Random per-account salts With targeted attacks (on few high-value accounts as opposed to lots of low-value ones), salts are of less help, yet they should be used in those cases as well Strict password policy Password reuse across sites Online attacks Password policy At least ban top N most common passwords Per-source rate limiting Multi-factor authentication Behavior analysis Akin to a "spam filter" User-targeted attacks Phishing, trojans, client vulnerability exploits Network-based attacks DNS, routing, MITM, old-fashioned sniffing Server vulnerability exploits