First off, don't use a masked text box unless you are forcing users to have formatted passwords such as AAAA-BBBB - use a standard textbox and set the UseSystemPasswordChar
] property to mask it.
Second, checking for an empty password is simple:
.NET up to V3.5
.NET from V4.0
Thirdly, don't report a separate error: Use a generic "the username and password were not recognised" - if you report of specific password problems it tells hackers when they have a valid username.
Fourthly, ever store passwords in clear text - it is a major security risk. There is some information on how to do it here: Password Storage: How to do it.