If the password database is somehow stolen without the website being compromised, sure. When people manage to break into the database they almost always seem to have gotten access through an exploit that takes control of the web server, though (which makes intuitive sense if you think about it). But it turns out that the really correct way of doing authentication, a challenge response rather than the idiotic "send my password to the server, allowing bugs along the route in SSL or malicious administrators to steal the password in transit", happens to make you lose that benefit anyway, as the client has to be given the algorithm to hash and salt their way to what is then effectively the password.