Three words, ACL, ACL, ACL!
Don't just use a password, especially not for something as dangerous as this can be (remember, if you remotely access mIRC, someone can wipe your entire harddrive!)
If you're not familiar with ACL it is Access Control List, basically it is a list of hostnames/IP addresses. If the person trying to connect doesn't have a host/IP that appears on the ACL the connection is dropped immediately, you only ask for a password (and only accept a password) if the person is on the ACL. This can signifigantly help limit the number of potential security breaches, because simply guessing a password is not enough. Also when storing the password locally, make sure it is encrypted, using $md5 is probably the best bet. MD5 isn't super strong, but it is the best mIRC has to offer. Also as far as the password goes, make some checking on it, ensure it is > 8 characters, and contains at least 3 numbers, but must also contain letters. Forcing it to contain both numbers and letters helps limit the risk of someone using a dictionary based attack.