There are a few possible places to store the string connection.
Leave tied inside code, app.config , configuration file and Windows registry.
What is the best place to store the string connection? Based on the requirements, security, performance.
It's best to have the basic configuration in app.config (possibly web.config ) and do not put passwords in it.
But if you do, do it using encryption. Putting passwords on display is especially reckless. It's best to use Integrated Authentication with Operating System or Authentication Made with user and password requested in the application and not available anywhere in it.
Of course, some situations may require a different solution.
Done this will be safe to the point where it can be safe. The performance is not relevant to this, if you do not do any crazy, but not even the worst programmers usually do crazy things about it.
You can store your connection strings in your app.config , taking into account that this involves security risks, I advise you to read the following article, which helps us to have good practice:
ConnectionStrings - MSDN
You can also encrypt your connection string and continue to store it in the same way, in the same configuration file.
