I believe that your credentials should be stored in a configuration file (INI or JSON) outside the webroot. Since the protocol requires the raw credentials, that is the most secure approach. Also, don't forget to set proper access permissions to the configuration file.
Small example:
<?php
$config = parse_ini_file('/var/app/config.ini', true);
// PHPMailer
$mail->Username = $config['email']['username'];
$mail->Password = $config['email']['password'];