MS recommends you to use windows auth. they would love to get rid of sql auth but can't because so many people use it.
Using sql auth generally means you have cleartext passwords lying around in web.config files. with windows auth, all you have in web.config is "trusted_connection=yes" which doesn't reveal anything. well, not as much anyway.
if you do opt to use sql auth, you should store connection strings in web.config encrypted.
It claims to show you how to encrypt a connection string but it it completely bogus since their method of "encryption" is base64 encoding. that's not encryption at all!
The sad fact is that this is the first page that comes up in the google search above, so I'm sure there are a lot of know-nothings out there that are using this method and think they have protected their passwords...