DBAs have multiple accounts: Regular accounts are in a security group that has SA rights on the servers in that domain. Each DBA has a service account in each domain. This is the only account that can be used to remotely log into a server.

SQL has a service account in each domain. All sql servers on that domain use the same account. PW is changed every 60 days. Each domain has a different password.

SA logins are different on all servers. The DBAs use sa to log into servers on other domains than their root account.

Passwords are stored in KeePass[/url], with a medium-strength password that by now we have all memorized.

When anyone with a service account leaves, all sql service account passwords are changed. If a DBA leaves, all SA passwords are also changed.