I want to have a way of authenticating an user (which introduces his password) without having that password stored in plain text or even a hash of it.

How should I do it?

Is it secure to have a control string that the user key can cipher and compare it with the ciphered string that I have stored?

Per NIST (National Institute of Standards and Technology):

Use a hash function, iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions such as PBKDF2, password_hash, Bcrypt and similar functions. The point is to make the attacker spend a lot of time finding passwords by brute force.

See: How to store your users’ passwords safely

Excerpted from the presentation "Toward Better Password Requirements" by Jim Fenton Information based on NIST SP 800-63-3 Draft document "Digital Authentication Guidelines"

Do:

Require an 8 character min, >64 max with no truncation or 6 random digits  
Use a dictionary to disallow common passwords against a dictionary list of 10M compromised passwords  
Allow all printing characters (Unicode optional) + spaces but MAY canonicalize spaces out  
Best to accept Unicode, including emojis (1 “character”/code point)