You can add a recordset to the page that is filtered by the userID and entered password.
This would return 1 result if the passwords matched and 0 if it did not.
Then you could add Validation Toolkit's Server Validation server behavior to validate that the results returned are greater than 0 using number validation.
Server validation would then also allow you to add a customized error message to the page based on that validation value and would prevent the update on the page where the server validation was applied until it was entered properly.