I'm going to give a bit more involved answer. The general answer is pretty secure, but how secure varies in exactly what kind of connections you make for downloading transfers.
For downloading you have three choices: Web Connect (Manual, go to website and download QFX file, Quicken knows nothing of your password) Direct Connect (Your password is stored in Quicken's password vault in your data file, and it is encrypted, it is only fetched and used when you are downloading transactions. Even if someone gets your data files and even if the data file has no password, the Password Vault password/encryption prevents getting at the passwords. So it is as secure as it comes as long as your password is good) Express Web Connect (Intuit's servers log in to your financial insitution's web site and gets your transactions once a night, and caches that data waiting for you to request if through Quicken. By its nature your password are on the Intuit's servers, but they are suppose to be using bank level security for them. Also when they log in they are only doing it in a "read-only" mode). For bill pay. If it is through your financial institution it has to be through direct connect and so it has the same security. If from Quicken's bill pay they do not use your password after the connection to the account is made for going to the financial institution because it is a ACH transfer, but of course they have to verify that you are you so they must store your password for that too.