You should never store passwords anywhere.
If you think about it, the password itself is not needed for authentication. Let's consider the simplest approach: you apply cryptographic hash function
]) to a password and stored its hashed version only.
When the user supplied a password for authentication, you apply the same exact hash function to it and compare the hashed data. Do to the properties of the cryptographic hash functions, nobody can revert it to obtain an original password, so it is kept private to the user.
Warning! Do not use MD5 as it is found to be broken.
]. Use one of the functions from the SHA family, see http://en.wikipedia.org/wiki/SHA-2
]. Those functions are well implemented in .NET, see what's available here: http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm%28v=VS.100%29.aspx
Of course you can apply more "serious" encryption
to the passwords, but the main idea is: you never store original password; and you don't know them, only the users know.