DO NOT Save Password in Web.Config or App.Config Directly

---

We saved passwords in project config file normally when we developed the project, However, it should be different when you deploy your project since most of time you should avoid your customer to touch some system passwords such as the database connection password, some of your API’s passwords such as Google+ API secret codes;

We can have different ways to store our sensitive data, you might have your own and great methods. However, you can check other professional .NET developers’ ideas here (Best practices for deploying passwords and other sensitive data to ASP.NET and Azure App Service).

Of course you might not need to separate your passwords if your project is small and you are sure the user will not touch those passwords.