In my ASP page, I open an ODBC connection with:
Set Conn = Server.CreateObject("ADODB.Connection")
Conn.CommandTimeout = 600
How can I avoid hardcoding the password in the ASP source?
You have a few options. First, you could use a File DSN and include the ID and password inside the file DSN. Then place the File DSN in a directory under NTFS that is not accessible to anybody but the authorized people (and the IUSR_machinename account).
Another option is to not make database calls from the ASP page. Instead have it call a COM component that in turn calls the database. Hide your ID and password inside the compiled COM component, or in the system registry in some weird place.
You could also wait for Windows 2000 which will contain IIS 5.0/COM++, where you can supply the connection string as a string property on a COM++ (previously MTS) package accessible only from the machine itself, and only by authorized users.