Great discussion.

I like the password generators.  The easier you can make it to get a long/strong password, the more likely people are to use them.

Vendor applications that require elevated privileges (or even use a hard-codes sa account and password) can be a thorny issue.  We don't want them on our servers, but the business wants them so they can remain competitive.  To accomodate both sides, I try to segregate vendor application databases on their own instance to keep them away from corporate data, when possible.

Don't forget to have the SQL Service for the "vendor" instance run under a different domain account than your "corporate" SQL Servers so the vendor instance won't have access to any valuable permissions on your corporate instance.