The most dangerous break-ins are those where some cyber criminal is able to get the master password file for thousands of users! Or get a DB with credit card numbers. A huge amount of effort should be focused on that.

Cracking an single individual's password, one at a time is normally not an effective strategy for a criminal who is interested in huge financial gain. As we've seen targeting specific individuals (like celebrities) can have significant payback to get that one single account. But that is not, for a website as a whole, the most dangerous thing.

Update: When you get into "passphrases" instead of passwords, like: "MyMomHatedthe'57chevy", showing the printed text on the screen isn't that bad (might be hard for you as the account holder to get it right). This passphrase is very difficult to crack if you only have the encrypted version and are using brute force. If you have a short password and I'm looking at what you type (normal folks don't type that fast), I can know enough to "fill in the blanks" that I don't know by experimentation. I turn around and look the other way when one of my clients has to type an important password.