You were doing so well right up to this point: "on which of course you can enforce frequent password changes."
Why would you do that? It only encourages users to write their password down somewhere accessible. Frequent password changes are the idle instructions of lazy auditors and are not based on any sort of sound evidence.
If you can't detect compromised accounts then you have already failed.