Reverse-engineering of your application is possible, when your source code is not obfuscated. For security purpose, developer maybe will use cryptographic services to encrypt user name & password and store it in clients'(users themselves) PC for reloading purpose. (So the application can log-in again for the same user without asking user name & password). This kind of information often could be a .ini/.config/.xml or any other ASCII file.
Cryptographic services help your client stores private and confidential information from others. The higher the bits used to perform encryption/decryption, the more difficult the hackers can hack your code. But now the problem is not coming from the algorithm but the .NET itself, if you are writing normal codes without obfuscating it.
Let's have a sample from MSDN using RijndaelManaged Class:
(The demo here is to urge the developers to tighten-up the security, not to encourage hackers!)
2) Browse to the .NET application you wish to de-compile. Drag-and-drop it to the .Net Reflector. (Sample provided; remove the "Config.ini" file to re-generate)
3) Browse to the default namespace. You might ask: How do you know it is default namespace? Normally it is same name with the application. If not sure, just browse one-by-one, since you can de-compile all the them :-D
4) Browse to default class. You might ask again: How do you know it is default class? Same answer with step (3).
Browse to default form/module. You might ask for 3rd time: How do you know it is default form/module? For C#, normally developers will name it as frmMain/frmMDI/frmLogin. In VB .Net, the entry point should be modmain module. Else, just follow step (3) :-)
5) Until here, maybe you have no choice but to look into all the possible methods (sometimes you can find the possible method like : frmLogin_Load, btnLogin_Click, etc). Click the methods to check the disassembler in the right pane.
Now you can see the user name & password are decrypted, before they are used to validate/compare with the user input.
6) Remember the configuration file in the form constructor. It's useful later to find out the where the encrypted information stored.
7) Click on the any method on the disassembler pane to drill down. If it requires additional assembly, message box will be prompted. Just click OK.
8) Again, Click on the method on the disassembler. You can find the decryption method. It uses Rijndael algorithm.
9) Oh, my God! It comes with IV and key, embeded in the application.
10) Copy decryption method, IV, key and build a simple console application. (Sample provided)
11) Pass-in the encrypted string to the console application built previously.
Done! Now you are a hacker! Oops, sorry, I meant you must tighten-up you source code compilation for security purpose.
p/s: Even in java, there're tons of de-compiler tools available. It's not surprise, since .NET is modeling from Java.