By default, all Salesforce credentials are stored in the variables table, unencrypted. If this is a problem for you, this module supports encryption via the AES module: http://drupal.org/project/aes.

You will need to create a directory outside your webroot wherein your encryption key will be stored. (You can use the same one you used for your WSDL.) Your credentials will then be encrypted as securely as AES allows.

Please note: your data is still only as secure as your network. It may be possible for a savvy attacker to access your data at any of various points between your Drupal site and Salesforce.com. As always, you should educate yourself about the risks involved before storing and transferring sensitive data across the internet.