Hace ya tiempo tambien me preguntaba lo mismo, buscando por Google Groups, he encontrado
un mensaje que mande hace cosa de un año. En el aparece una referencia a un mensaje de la lista "secprog", copio literalmente:
Cita: 1. Hardcode the password in the application source code. This makes it slightly more difficult to find (assuming one makes the effort to hide it a bit better rather than having a single string with the password that can be found with any hex editor) but each time you need to change the password you'd need to change the source code.
2. Save the password in a configuration file and let the application pick it up from there. The permissions on the configuration file should be such that only the application can access it. Needless to say this scheme does not prevent administrators, etc. from accessing the password and also assumes good physical security for the box the application is deployed on.
El primer metodo creo que no serviría, ya que la idea es proteger la contraseña almacenada en un script PHP, por lo que no existen ejecutables compilados. El segundo método parece mas efectívo. ¿Qué metodos utilizais vosotros?