A company's security assessment noted vulnerabilities on the unmanaged packages in its Salesforce orgs; notably, secrets that are easily accessible and in plain text, such as usernames, passwords, and OAuth tokens used in callouts from Salesforce.

Which persistence mechanisms should an integration architect require to be used to ensure that secrets are protected from deliberate or inadvertent exposure?