Threat models

Offline attacks
Protected local parameter
Decent hash type
Password stretching
Random per-account salts
With targeted attacks, salts are of less help, yet they should be used in those cases as well
Strict password policy

Password reuse
(across multiple sites)

Online attacks
Password policy
Per-source rate limiting
Multi-factor authentication
Behavior analysis
Akin to a spam filter
User-targeted attacks
Phishing, trojans, client vulnerability exploits
Network-based attacks
DNS, routing, MITM, sniffing
Server vulnerability exploits