That is by design - the password is stored 'securely' in the catalog, which means the connection manager dialog box will only allow you to overwrite the saved password.
Why would your vendor need to grab a password from an SSIS package? Either they have permissions to use that SQL account - and therefore have access to the password - or they don't...and if they have that access then they should have the password.
Better yet - whatever permissions they need should be granted to their Windows account(s) through an AD security group (that has been added to SQL Server).
Problems are opportunities brilliantly disguised as insurmountable obstacles.
How to post questions to get better answers faster[/url]
Managing Transaction Logs[/url]