>What security/encryption (if any) happens to the connection string - specifically the password - going over the wire when a SQLStringConnect() is used to connect to SQL Server? Is there anything that can be done to add/increase the security of these strings?

By default nothing happens, meaning no encryption takes place. You can however use the "Multiprotocol" protocol instead of TCP/IP and use encryption in the data transfer. I have never really used this option, but from what I have read this would be the way to go. To use the "Multiprotocol" protocol you need to indicate so in your connection string as part of the "network" parameter.

Your other option is to use a VPN and have your application run inside the VPN. That way even though the connection string will not be encrypted, the VPN will provide you with some security out of the box.

Yet another option is not to connect directly to SQL Server, but rather have your application talk to a middle tier component (e.g. a web service) that in turn redirect calls to SQL Server. The middle tier component could receive encrypted requests, decrypt them and then talk to SQL Server.