Is it secure to store username or password in web.config as the other parameters e.g. timeout period in ASP.NET MVC applications? If not, is it possible to make these parameters securable so that they cannot be encoded in the web.config file on the published server? On the other hand, would you suggest to store username, password and the other constant parameters in a Class (*.cs) file as static values? Could you please clarify me about which approach is better in order to store such parameters?

You should never store sensitive data in source code. You can use the configSource attribute to replace the entire <connectionStrings> markup.

<connectionStrings configSource="ConnectionStrings.config">
</connectionStrings>

ConnectionStrings.config should be in the same folder as Web.config. It's best to keep extension .config, as config files are not served by IIS. This file must be ignored by version control system.

https://www.asp.net/identity/overview/features-api/best-practices-for-deploying-passwords-and-other-sensitive-data-to-aspnet-and-azure

check these links:

http://www.4guysfromrolla.com/articles/021506-1.aspx

http://www.aspnettutorials.com/tutorials/advanced/encrypt-conn-str-asp4-cs.aspx

Better yet, do not use SQL Server Security and instead use Integrated Security and only allow the account your web app (pool) runs under to access the DB.