Don't you just hate it when your password explodes, letting the magic smoke out of your server, and setting lp0 ablaze?
In all seriousness, the number of places a person needs a username and password is increasing dramatically. It looks like OpenID won't be solving the problem in the near future, and Single Sign-On seems more like a goal than a reality internally, even disregarding the great big net out there.
I just came from a meeting wherein I was told that we've paid for access to several external sites, and want to lower the bar and increase the likelihood that staff (and students) will make use of these resources. Those speaking felt that our top five- to ten-percent of users might make use of the sites, but if we could provide a way to log people in to the sites (and give them a launching-off page) that the uptake might increase dramatically (and that we could save tech support money but not having to help people when they forget their passwords.)
What are you doing about this problem in your organization? Are there any sensible approaches?
Kerberos gets you 90% there. Then you've got to get your browsers passing kerberos tokens to internal websites (look in about:config on Mozilla variants, search for "nego" to see the preferences).
After that, RADIUS-type authentication for the things that require passwords, or LDAP.
We're making extensive use of the Central Authentication Service (wikipedia entry). It has plug-ins for a lot of things, and we've managed to use it for services that have separate identity information per-user. I believe it can also be used for services where there is a generic login to a site.
There is the keepass option. Keepass can open a website, tab to the correct login fields, type in your username and password and press enter all in one easy click. Put a pre-filled keepass DB on a pendrive and give them to your users, they can store their own passwords in there too.
It might not be good enough for a web-based login system for thousands of users, but it might make users more comfortable that their passwords are secure (and is still a great solution for individual users).
Have a look at Sun's Identity Management package OpenSSO. I believe there is a piece that allows you to create an internal SSO infrastructure that will sign users onto extranet apps. I'm not 100% positive, but it looks to be open source and maybe free.
If the various tools/sites/services support LDAP, while logins may be required, at least they'll be authenticating back to you OpenLDAP or Active Directory infrastructure, so the username and password won't be "new".