hidenory,

I beg to differ with you as my experience is different.

A while ago I wanted to ensure that InstallShield does actually encrypt those passwords as one of our clients had that requirement. It appears the SQL login credentials are available in plain text under Direct Editor > Property table > IS_SQLSERVER_PASSWORD as shown in screenshot below.



Unfortunately, we were told that InstallShield doesn't encrypt the passwords by default. In order to secure the SQL crendentials, we had to stop using the traditional 'IS_SQLSERVER_' properties and instead write our own protection classes and call those methods through custom actions.

That is correct that the value of the IS_SQLSERVER_PASSWORD property is visible in the Property table if you provide a default password. However, a password that you specify at run-time is not visible because InstallShield treats that property as a hidden property to prevent the installer from displaying it in the log file, and masks the Password field on the SQLLogin dialog as follows:

Property(S): PackageCode = {3B00A3C2-44FE-42D4-9F77-33B951CD7D29}
Property(S): IS_SQLSERVER_PASSWORD = **********
Property(S): IS_SQLSERVER_SERVER = 192.168.1.1
Action ended 13:05:34: ExecuteAction. Return value 1.



Also, SQL credentials InstallShield stores in the registry during the initial installation and reuses for maintance/uninstall are encrypted.