If you store data in via the preference store this data is only accessible for your application, if the android system is valid (not rooted, etc). Every app will get a own user for access on the file system and therefor the underlying linux system will prevent the other apps from reading these data stores.
I haven't work with the preference manager yet, maybe you will find an answer on how to use it in the documentation.
If you need the passwort to loggin in to an external web app and can't simply store a hash of the password there is a special mechanism used for example for the google authentications. You log in to the web app with username password and then the web app sends a security token to your device. This token can be saved and is valid for logging in for two weeks from this device.
This can only work if you control some parts of the web app you are working with.