And by strong, we don't mean 8 characters long.

At least 15 truly random characters is a good start.

Minimum permissions at the finest are column based permissions; if that's too difficult, table based, and if that's too difficult, schema based, and so on. Do not allow sysadmin, do not allow db_owner, do not allow securityadmin, etc. Don't give permissions that aren't actually used and needed. Don't be afraid to use DENY as well.

Keep your antivirus up to date and running (exclude data, log, and backup files), keep SQL Server patched (at least all security patches), keep Windows patched (at least all security patches), etc.

If you want to protect your data in the database, even from DBA's, you can code your application to encrypt the data. Do not write your own encryption.

If you want to protect passwords in the database, use PBKDF2, bcrypt, scrypt, or similar, with large numbers of iterations (thousands to hundreds of thousands). See http://stackoverflow.com/questions/7837547/is-there-a-sql-implementation-of-pbkdf2/12291671#12291671

If you want to protect your data in transit, turn on SSL (load a certification and turn on "Force Encryption" in SQL Server Configuration).

If you want to protect your data in files, you can use TDE (Transparent Data Encryption) in Enterprise edition, or Truecrypt, or other disk/volume level encryption software.

Note that encryption is very hard to do right - the slightest detail can be a real problem that's nearly impossible to find.