You make a good point. See here for a previous take on it: http://spiresecurity.com/?p=355. I would point out, as I tried to in the previous article, that there is more to password compromise than the crack itself. I would assert that the crack is much less common than the phish and that my argument still holds up with phishing. In addition, we shouldn’t forget the time/effort it takes to get the hash prior to the crack.

“Best practice” is a tricky concept but I agree some sort of multifactor auth solution would fit. I just don’t believe the risk is particularly high for many of the things we require passwords for and so “best” is unnecessarily costly and “reasonable” would work fine.