One example of extreme login security that I've seen is with treasurydirect.gov. Password: min 8 char, 1 letter, 1 number, 1 special. Mailed key card: 7 x 5 alpha numeric grid with a random 3 char series ((A2, G5, F5) for example), 1 out of 3 sets of 10 digit numbers on your key card, 3 security questions on unrecognised computers (out of around 10 - you must remember which 3 questions you set and answer them appropriately), and to top it all off, no keyboard entry - you have a randomly ordered soft keyboard that must be clicked for all password and keycard entries.
Personally, I think it's overkill, but I'll admit that I wouldn't envy anybody tasked with getting someone's account.
Ever had a bank account in Switzerland? Swiss Post uses two-factor authentication with challenge-response for online logins.
First you enter a password, and you get a challenge code back. You insert your card into a device they send you, then enter the pin and the code. The device displays a response code that you enter into the website.
That's pretty good. My bank has something like that for their online data storage, except instead of a device that will give me the code (I could get that for $25 they say), they send me a sms with the code after I enter my password.
Personally, I think it's overkill, but I'll admit that I wouldn't envy anybody tasked with getting someone's account.