If you use multi-protocol net-lib with encryption then SQL standard security userids/passwords are encrypted along with the data.
When using an NT userid/trusted connection then passwords are not passed at all - the sids are used as in all NT credential checks.
If you are using SQL 7.0 client drivers talking to a 7.0 server then the SQL standard security userid/password is encrypted regardless of net-lib.
In any other case then the SQL standard security userid/password is sent in clear.
If the above options do not provide enough security for you, download Access manager for Windows.
Access manager provides much more security than standard ways in Windows.
More articles about Security