I must admit I still prefer different passwords for different systems. However, we do have a few things that make our lives easier.

• We do implement a password database; all passwords encrypted, those with access grouped and visibility limited according to those groups
• Password expiry periods vary depending on the system. Test and Dev instances don't need to be changed as frequently as Live. Databases containing Financial or HR data certainly need tighter security than the telephone directory DB.
• We give an administrator appropriate rights to their AD account so that most changes appear in the log under their name, thereby being traceable. The SA and machine admin accounts can then have far more complex passwords since they're rarely used (and rightly so, in my opinion).

I realise the potential issues surrounding a database of passwords, and I'm certainly not going to discuss our implementation. However, I will say we've tried to break it in enough ways (that haven't worked) that we can have confidence in its strength. It's certainly not the weakest part of our security portfolio.