So they know the user name to attack is "sa". Big deal. If God wanted to make your life harder and he gave the first two letters of your password to your enemies, you'd just make a password two more letters longer and be just as secure as before. This is why God usually doesn't mess around like that and sends plagues, frogs, plagues of frogs that eat backup tapes, and the angel of death, instead.
Since these days a compromised password means that your entire database and credit card number are copied to Peking and Moscow in about 500 milliseconds, I don't quite see the point of changing it once a month, although I think someone explained it to me once.
On one set of systems (UNIX) I set "random" hexadecimal numbers of just 3 bytes, 123abc, each different, and since the systems had some funny ideas about acceptable passwords I used 0qz123abc one month (I do it even if I don't believe in it) and 469cadqz0 next month, turn about. And for site visits I remotely changed it to "convenient" instead - or to something which I forget now.
In a recent discussion here, someone was insisting that for user security the thing to do is to rely on Windows authentication to SQL Server. Well, maybe.
What we don't do, but I'd like to, is use bar codes for the passwords - then there's a physical object but it doesn't matter how very hard the magic word is to type, because you don't. I'm not sure what the current price tag is on a bar code scanner, but since you can get a webcam for less than $20 it should be pocket money. I did look once for "read bar codes on web cam" software. It appeared that somebody someplace like Chile, somewhere rather volatile in Central or South America I mean, had put one such online, as college project prototype, then disappeared. I wondered if he'd been rubbed out by the international consortium of bar code reader manufacturers. Or he just left college, more likely. I hope so, anyhow.
I have an RSI-type disability and one possible alternate computer input method is an array of barcodes that I can point a scanner or a camera at. As it is, I'm getting on pretty well with a touchscreen product called Fitaly.