Where you store them is a lot less important than what you store: If you are comfortable with XML, then use that. If you are happy with a database, (and you won't have to install SQL Server with each installation of your application) than use a database.
Much more improtant is to store the correct information - not a password, but a hash of the password. Have a look here, it might give you some ideas:
Password Storage: How to do it.[
^]