First, I am very happy to hear about the new policy to generate random passwords for the user and disallow user-selected passwords.
But I think there is much more to be done to improve security.
I have a full response to this post written out here.