It's best to have the basic configuration in app.config
(possibly web.config
) and do not put passwords in it.
But if you do, do it using encryption. Putting passwords on display is especially reckless. It's best to use Integrated Authentication with Operating System or Authentication Made with user and password requested in the application and not available anywhere in it.
Of course, some situations may require a different solution.
Done this will be safe to the point where it can be safe. The performance is not relevant to this, if you do not do any crazy, but not even the worst programmers usually do crazy things about it.