I just noticed that the SQL Server password is stored in clear text in the settings.txt file ????

When it is stored as a connection string in web.config, we have the opportunity to crypt it, not with this setting.txt solution.

This looks like a serious problem.

CS

If you care about have the password in a file, then even encrypted it's wrong. You should be using Integrated security instead of a username/password.

The file is in App_data which means only a user with access to the machine can load it. If this person has access to the machine, then he can also decrypt you web.config with one command line. As secured.

Ok, thanks, this seems to be a correct deal. 
From what I googled, App_data is protected by a special file handler by .NET. Works well as long as .NET integrity is OK.
Pb with SQL Azure I am using is it doesn't understand integrated security...

If .NET integrity is compromised, you're screwed anyways.