Hector:
Excellent post. As an addendum, in case it is not obvious, the developer has to be careful not to hardcode the password in the string - in high security applications. The password would be easily visible to any decompiler, hexeditor, etc.
Better would be to keep it encrypted somewhere and decrypt just when sending the string to establish the connection. A general scrambling algorithm might be OK in some situations but strong encryption using CAPI would be better.
This is better used in the SQLSTRINGCONNECT() option you mentioned.