To update and close my question...
1, If the SQL server has a specific Username and Password, it is possible for QV (and other ODBC apps) to generate a different XUser and XPass key sequence each time.
Even though the hash key shown is different each time you make the ODBC connection in the script editor, they all still evaluate to the same basic username and password for the SQL.
2, It is possible to avoid authentication, by setting your windows ODBC connection to use windows/user authentication, instead of SQL authentication.
The connection is then linked to your windows usernames, so its a good idea to have your QVS service's running with a proper admin user to get access to the SQL database.
I havn't had any problems with moving the database connection string between environments. Ive done it about 100 times and it hasn't failed once. But if you have some kind of unusual setup (i dont know) try using OleDB instead.
Of course the Xuser and Xpassword is different each time you set up a connection (to the same server and usr/pwd). If they were identical it would be to hard to guess the algoritm :). So the answer to the question if there is a application that can read the xuser and xpassword is NO.
Of course you can turn off authentification, but i guess the DBA might get a bit confused about your security approach.