The secure/best method is to not save the password in config file and use Windows Authorization. If that's not possible, save in the config and restric access to that folder.

Details: http://consultingblogs.emc.com/jamiethomson/archive/2007/04/26/SSIS_3A00_-Storing-passwords.aspx