It's always vital to protect your connection string. It is recommended that you only put it as plain text in config or app settings. Storing it anywhere else in your code as plain text is asking for trouble. Through the Microsoft Intermediate Language (MSIL) disassembler, it is actually quite easy for anyone to see your connection string if you place it in code. A hacker can use the Ildasm.exe command to view your code's respective MSIL, through which the string will be laid bare.

Another aspect to consider is the fact that the different forms of connection strings do play a part. Some forms of connection strings can have a username and password; others just use the trusted connection or integrated security. If it is possible to do so, it is recommended to use the options that do not explicitly specify the username and password.