Takeaways

Salting and stretching are a must, but you knew that
Unreadable local parameter is also a must for large user/password databases - need two extra devices
HSMs might (not) be safer than regular machines
PBKDF2 is not good enough unless we're on GPU
Use of hardware beyond CPU + RAM for password stretching is tricky and currently not obviously beneficial overall (considering extra R&D, risks, cost) - further research and experiments are needed