Threat models

Offline attacks
Decent hash type
Proper password stretching settings
Random per-account salts
With targeted attacks (on few high-value accounts as opposed to lots of low-value ones), salts are of relatively little help, yet they should be used in those cases as well
Strict password policy

Password reuse across sites
Who is responsible for what?

Online attacks
Password policy
Per-source rate limiting
Additional authentication factors
Behavior analysis
Akin to a "spam filter", may reduce success rate of non-targeted attacks (Google does it)
User-targeted attacks
Phishing, trojans, client vulnerability exploits
Network-based attacks
DNS, routing, MITM, old-fashioned sniffing
Server vulnerability exploits