After further thought and reviewing your code I realized you left one area out that should be addressed.

You check to make sure password and login don't match but you should make sure the login does not exist in the password.

For instance it is consider a weak password if I do something like so.

Login: BobSmtih

Password: BobSmith123

Use Charindex to look for bobsmith in the password string and if return > 0 it was found, password is bad.

Just a suggestion.