In my opinion, the sa account's password must be as complex as possible - and as less used as possible. For non-emergency work, the DBA's Windows login must be added to the SERVERADMIN role - almost as good as SYSADMIN, but not that good.
As a standard practice, all users and applications must use Integrated Security, i.e. Windows authentication.
SQL Server itself ships with some great roles - we should be making use of them based on the requirement; and if we can't we should have a limited permissions user role, and all the necessary users should be part of the role.