leastprivilege.com
Guidance on User and Password Management
The ACE blog has a good checklist on the above topic. Something to have around when implementing the next password based system.