ASP.NET Forms Authentication mechanism supports optional definitions of name and password credentials within the configuration file. For prototyping purposes or very small and basic applications this ways of keeping user credentials in Web.config for Forms Authentication is doable.

Below configuration example defines Forms Authentication with credentials for which passwords are kept in cleartext. Anybody who has a view permission for Web.config (through a vulnerability or normal flow) can view application users passwords.

                            
<configuration>
<system.web>
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="1440">
<credentials passwordFormat="Clear">
<user name="admin" password="secret" />
</credentials>
</forms>
</authentication>
…