Nice editorial Steve! The last 2 places that I have worked with large production systems, internal company accounts were all Windows AD accounts.

The lone exception, 3rd party vendors software. whenever they came in house and asked for SA access we could normally get the Software Engineers on the phone and get the settings lowered, example if it needed the ability to truncate or drop and create structures, that is just DDL_Admin on the database in question, not SA for the entire server.

For password's there have been different requirements. I've worked in places where the DBA's would create the account and issue the password, I would use Keypass http://keepass.info/ to randomly generate a complex password and store it.

I've worked in others where the DBA's would request an account, and we would be issued a password from a password management group. and if a SQL Authentication account was required we would get the password from this department, and then create the account and assign permissions.