I am creating a web2py application which will pull a bunch of data from different sources. What's the best way to store the API keys and passwords? Appconfig.ini seems to me as a bad option here.

You can use the Python keyring lib to more safely store and retrieve an API key into the underlying Operating System's Keyring service. As an optional optimization, you can then store the key in Web2py's cache.ram to avoid having to retrieve API key from the OS for every request.

See https://pypi.python.org/pypi/keyring

Thanks so much Himel Das for the initial answer !

In my lib odsclient I ended up implementing a series of alternatives, from the most secure (keyring as you suggested) to the less ones (OS environment variable, git-ignored text file, arg-passed apikey possibly obfusctated with getpass()).

You might wish to have a look for inspiration, see this part of the doc in particular.