Don't try to reinvent the wheel - particularly when you don't have a thorough understanding of what you're doing.
Aside from the missing
salt[
^] and
password stretching[
^], your code is clearly vulnerable to a
Timing attack[
^]. The chances are that a cryptography expert would find many other problems with it.
.NET already provides perfectly good authentication mechanisms - for example,
ASP.NET Identity[
^]. Use that instead.