The whole idea to store a password is wrong. Passwords (I mean, in their original form, how they are created by the password users) are never stored anywhere. If you think about it, you will understand that authentication never needs it. Sounds weird? Then keep reading.
One of the most typical ways of dealing with passwords securely is using a
cryptographic hash function, some function with one of its important properties: it's inversion is
infeasible. For further detail, please see:
http://en.wikipedia.org/wiki/Cryptographic_hash_function[
^].
When a user creates a password, its hash function is stored. So, no one can restore the original password, no matter what are the privileges. During authentication, a hash (obtained by calling the same function using user input) is compared with stored hash. Simple, isn't it?
I would recommend to use one of the functions from the SHA-2 family:
http://en.wikipedia.org/wiki/SHA-2[
^].
It's important not to use MD5 or SHA-1 for any security purposes: these functions are found broken, so using them is unsafe. Please see:
http://en.wikipedia.org/wiki/MD5[
^],
http://en.wikipedia.org/wiki/Sha1[
^].
With .NET, you have the cryptographic hash functions already implemented for you:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.hashalgorithm.aspx[
^].
As to the second part of the question: yes, the file with authentication data should be limited in access. Windows provides user-based access control (via ACL), so what's the problem? Please start here:
http://msdn.microsoft.com/en-us/library/windows/desktop/aa374872%28v=vs.85%29.aspx[
^].
Further detail on access control depends on your settings: who is defined as admin, how she/he gets admin privileges, what's your application type, etc. I don't have this information to give you more concrete advice, but you can read about access control and apply it to your security schema. If you face some problems, ask more specific question and supply relevant information needed to resolve a problem.
Good luck,
—SA