Interesting question, thanks Koen!
I had it wrong because, like Mohammed, I had to google - and I found this reference
that appears to contradict the reference Koen used:
In an Integration Services package, the following information is defined as sensitive:
* Any variable that is marked as sensitive. The marking of variables is controlled by Integration Services.
Also, for the protection levels that use a password, Integration Services uses the Triple DES cipher algorithm with a key length of 192 bits, available in the .NET Framework Class Library (FCL).
Can anyone who knows more about SSIS than I do (i.e.: something) comment on this apparent contradiction?
EDIT: Inserted quote in quote block for better readability
Hugo Kornelis, SQL Server/Data Platform MVP (2006-2016)
Visit my SQL Server blog: http://sqlblog.com/blogs/hugo_kornelis