Companies have various ways of encrypting passwords. There are also techniques called salting and hashing. The upshot is, the average user will not take the time to find out how the affected company does their encrypting — or hashing or salting for that matter.
An average user doesn’t know how vulnerable their password is. More often than not, the passwords are fully accessible, which are then sold on the black market for some value depending on who the user is and what level of access they have.
Password strength is only useful when someone is trying to guess your password. If it is taken in a database that is not encrypted, then the password is fully exposed regardless of how strong it is. That is one of the fallacies of password strength in a database leak and why organisations require users to change their password on a frequent basis.
Bottom line, a second authentication factor is necessary to ensure account safety.