If one is to use a password based authentication system which has to use is less important than how you use it, specifically what scheme you apply to salting; While larger hashes even with proper hashing increase the amount of memory needed for pre-computed tables it doesn't eliminate the threat, proper salting can.

I would add that the most important elements a web authentication infrastructure offers as a mitigation's are related to how account lockout and recovery works.

Additionally integration of multi-factor authentication technique's, for example "enrolling" a machine as a legitimate console in which trading can occur from by setting a AES key into the cookie post "enrollment" that has to be present for authentication into the account without additional account proofs also help a lot and do not (if done correctly) make the usability of the system poor.

Generally I encorage customers o adopt authentication frameworks (ala OpenID, Facebook, etc) or federate, however I dont think this is appropriate for exchanges; in that the security needs of these systems are different and you expose yourself to their risks (to some degree) by doing this.

Transaction thresholds that escelate based on reputatation (transaction history, norms, etc) are also very valuable, though I can appriciate that there would resistance to this but it can be one of the most effective mitigations.

CAPCTHA offers very limited value, account lockout is more approprite.