Interesting question, thanks Koen!
I had it wrong because, like Mohammed, I had to google - and I found this reference that appears to contradict the reference Koen used:
In an Integration Services package, the following information is defined as sensitive:
(...)
* Any variable that is marked as sensitive. The marking of variables is controlled by Integration Services.
(...)
Also, for the protection levels that use a password, Integration Services uses the Triple DES cipher algorithm with a key length of 192 bits, available in the .NET Framework Class Library (FCL).
Can anyone who knows more about SSIS than I do (i.e.: something) comment on this apparent contradiction?
EDIT: Inserted quote in quote block for better readability