I suppose with public and private keys that there are ways to know whether a username and password are valid without having and storing the actual original values.
But AFAIK, the problem remains. If the system is compromised, then it's only a matter of time before account information can compromised as well.
But I'm no expert on this stuff...
Cheers,
Scott.