Richard's link to Mike Wolfe's Week in Review for Access on 11/29 had reference to using .INI toolbox for this information.  

https://www.linkedin.com/pulse/developer-helpers-ini-file-toolbox-complete-solution-marcus-dieterle-fbnte/

Joseph You're right to be careful here, but I wouldn't rely on a password-protected ACCDB for real security. Access passwords are basically light obfuscation and there are plenty of tools that can remove them, so I wouldn't treat that as a safe place to hide a SQL login.

The cleaner approach is to ship a generic ACCDE front end and let the client maintain their own config. On startup, your app reads their settings from an external source they control: an INI file, a small ACCDB with a settings table, or even a registry key. If they can use Windows authentication, that's ideal because you're not storing any SQL username or password at all, just the server and database names.

If they insist on using SQL passwords, then the real security needs to live on the SQL Server side, not in Access. Give them a least-privilege SQL account, restrict what it can do, and accept that anything stored on a user's workstation can be extracted if someone is determined enough. You can lightly encrypt or obfuscate the config file if you want, but that should be considered a speed bump, not a lock.

That keeps you out of their data, gives them full control, and keeps your front end simple and portable.

John INI files are fine for config, but I wouldn't store passwords in them unless they're heavily encrypted.