Make sure that the users do not have file access to the fdb file. You
can create an alias and you can set the connection string to:

server:mydatabase

For password information you store (ie not database user, but part of
your application), always use a hash algorithm such as SHA-1. SHA-1 is
good for a 160 bit hash, and it is not reversible which means that the
only way to get the password is to try each combination. Other options
are md5 etc.

You can also use encryption for important data such as blowfish, but
from what I can work out you have to do these yourself. We use a
custom UDF to do the hashing in our application.

Other measures include using an encrypted file system of some sort,
but it really depends on what you are doing as to the sensitivity of
the information. We only really need to protect our application users
passwords because chances are they use the same password for their
online banking, computer logins, emails, and anything else that asks
for a password (people don't seem to learn)