I built a small website and there will be only one admin, so in the admin panel I am asking for a password with a value that I do not retrieve from a database, I just hard coded it in the function in code behind, I know this is wrong though I don't know why.
So is hard coding it in web.config the right thing to do? and how?
As far as it being wrong... the problem is that if you ever need to change it, and it's hardcoded in your codebehind, you need to recompile,republish, re-deploy your website, whereas a change to the web.config can be done without doing this.
You could put it in an AppSetting in the web.config like so.
<appSettings>
<add key="AdminPassword" value="ASDF1234" />
</appSettings>
and use this code to retrieve it
System.Configuration.ConfigurationManager.AppSettings["AdminPassword"].ToString()
Though I'd have a look at this.
http://aspnet.4guysfromrolla.com/articles/021506-1.aspx
It covers encrypting sections of your web.config
Nothing wrong with Eoin's suggestion for tiny projects but if your project may someday need more than 1 admin and different types of users roles. I would take the hit and setup ASP membership.
http://msdn.microsoft.com/en-us/library/ms998347.aspx
You can use integrate it into windows or use a database and it's not too hard to setup. Especially if you use the built in config tool in IIS.