Updated answer:
There is an Apple doc which shows the correct way of doing it. You was close.
(I have not tried it myself)
do shell script "rm -rf /$HOME/Downloads/*" user name "USERNAME" password "THEPASSWORD" with administrator privileges
From the doc:
How do I get administrator privileges for a command?
Use the administrator privileges, user name and password parameters
like this:
do shell script "command" user name "me" password "mypassword" with
administrator privileges user name and password are optional; if you
omit the user name, do shell script assumes it to be the current user;
if you omit the password, it will ask for a password when it runs.
Once a script is correctly authenticated, it will not ask for
authentication again for five minutes. As of Mac OS X 10.4, this grace
period does not extend to any other scripts or to the rest of the
system; manually calling sudo -k is unnecessary.
For security reasons, you may not tell another application to do shell
script with administrator privileges. Put the command outside of any
tell block, or put it inside a tell me block.
Bear in mind that administrator privileges allow you to change any
file anywhere in the system. You can render your system unbootable or
even erase the entire disk with a few well-placed commands, so
exercise caution. Better yet, don’t use administrator privileges
unless you absolutely have to. Unless you are doing system-level
development, you should never need to change anything in /System —
changing /Library should suffice.
Note: Using sudo(8) with with administrator privileges is generally
unnecessary and creates security holes; simply remove the "sudo".
IMPORTANT UPDATE 2
*You can save the app as "run only" (Save an editable copy for yourself first)
( If you only save it as a Run Only even you will not be able to open it and edit it later on once you have closed the script window.)
Then use the File->Export menu which will give you the option in the save dialogue to save as "Run Only"
Attempt to open main.scpt file in application package:
A Run only will stop someone from opening the script embedded in the Application by double clicking on it to open it in Script Editor and discover your password. But there is a way of finding the user name and password from a Run Only and it is not that hard to figure out even for a casual user.
I WOULD THINK TWICE ABOUT PUTTING YOUR USER NAME AND PASSWORD IN THE APP.
UPDATE 3
A little idea to help if you must do this is to break up the password text by creating nonsensical variable name to hold it and jumble them.
When the code runs it will reassemble them in the correct order.
For example.
if the password is 88>0TpFpax
I will use:
set T to "Tp"
set Po to "88"
set TC to "Fpax"
set TEH to ">0"
do shell script "say blahbla" user name "markhunte" password (Po & TEH & T & TC as string) with administrator privileges
Notice that not only do the variable not mean anything or show any sense of order but the bits of password are also jumbled within them.
All until the code runs.
So even if they do stumble on how to do what I am talking about the password will not be assembled in any order that it can just be used.
Best Answer
I don’t believe that the Security framework keeps a two-way copy of your password. The best you could do is use a keychain pair as you’ve stated and then have your script check if that password is able to be locally authenticated before trying it over the network. That way at least you get an alert every few months to update your Keychain.