Well, first of all, it would be best to wrap your entire path in a URLEncodedFormat(). This ensures that any special characters in either the hashed PW or the UN are URL-friendly.
What I would do is set a variable into your APPLICATION scope that is a seed. When you pass the password, use Encrypt on it with the seeded value. This way, when your CFC gets the request, it can use Decrypy, and has access to the seed value in the APPLICATION scope in order to determine the actual value passed by the user, and perform authentication at that point.