A database would be more secure.

If your PHP compiler stopped working for any reason, your PHP code yould be displayed as plain text, meaning that your password would be visible.

However, if you have it in a database and the compiler stops working, then the user will not see the Admin password. Although they would see the database connection information.

The best way would be in a database, and setup access hosts in your database to prevent anyone other than Localhost making a connection (Also, make sure your database user password is not the same as any other password you use, a string or random numbers/letters/symbols for example)

encrypting the password before storing it to the db is also a good security measure.

Please Store your all Username and Password in Database with Encrypt of Password Field. This is Most Security Option in admin Panel.

Ok, thanks to all

One more question. What is better solution for login users. Cookies or sessions?
In cookies I put the time of their duration, but what about sessions, how long is their duration?

the best solution is session..
because after a specified time the use automatically logged out so session is best option for security.

I am going to disagree with your reasons for using sessions over cookies, although Sessions are more secure in themselves:

This can also be done with Cookies, you can set the time they expire.
I assume you meant that they expire when the browser closes, but an auto timeout is not really required in most situations so can't really be used as the main point for using sessions..

The main advantage of sessions is that the session data is stored on the server, not on the client PC (Cookies store the data on the Client).
The only thing that is stored on the client is the session ID.

I use this in my projects:
http://www.evolt.org/node/60384