Yes, you COULD keep log in information and passwords in your web.config and you can protect those sections by encrypting them. I don’t know if that’s the most suitable place to do so, but given your description I’ll assume that it is the best solution for your case.

Here is a robust way to implement encryption: What is the proper method for encrypting ASP.NET connetionStrings?

private void ProtectSection(string sectionName,
                                   string provider)
{
    Configuration config =
        WebConfigurationManager.
            OpenWebConfiguration(Request.ApplicationPath);

    ConfigurationSection section =
                 config.GetSection(sectionName);

    if (section != null &&
              !section.SectionInformation.IsProtected)
    {
        section.SectionInformation.ProtectSection(provider);
        config.Save();
    }
}

private void UnProtectSection(string sectionName)
{
    Configuration config =
        WebConfigurationManager.
            OpenWebConfiguration(Request.ApplicationPath);

    ConfigurationSection section =
              config.GetSection(sectionName);

    if (section != null &&
          section.SectionInformation.IsProtected)
    {
        section.SectionInformation.UnprotectSection();
        config.Save();
    }
}

So to protect the settings you just call the ProtectSection method with the section you wish to protect and the protection provider of your choice (usually DataProtectionConfigurationProvider or RSAProtectedConfigurationProvider):

ProtectSection("appSettings", "DataProtectionConfigurationProvider");

To un-protect a section you call the UnProtectSection method with the section you want to unprotect:

UnProtectSection("appSettings");