Just want to share something. Following my colleague's post , there is one more way on where to store settings, which is probably the preferred way.
We have been using config list in SharePoint that only Site Collection Admin can access. The problem is that they are stored as clear text and SharePoint doesn't provide Password field type OOTB.
Since the password requirement has changed, only infrastructure team can add/modify the password and they don't want us to know what the password is. As we want to avoid web.config modification, Secure Store Service application is the rescue! and it turns out to be pretty straightforward as well.
Having created your Secure Store Service application and added the credentials in, I only had to create a helper class to retrieve my settings. I didn't end up using the code in that post as I want to simply grab all my key-value pair:
Then you can just call that function and you will get your dictionary :)
Hope this helps,