Two problems here:
One, why are you storing the user's password in plain text in a cookie? That's extremely unsafe! This is so fundamentally insecure that you might as well not have passwords. There are plenty of ways to handle this. Here's one simple example:
If you want the site to "remember" the user's password, generate a unique token (such as a GUID) and store the GUID alongside their account info on the server as the "active session", and store the GUID in the cookie. When the user visits the site, check to see if the token cookie exists and if so, you can match that up with the user's login info on the server side and bypass the login page altogether. There are additional things to take into consideration, but that's the basic concept.
Two, your current design requires an AJAX-like callback. The code you've written in c# runs on the server, but the focus/blur events happen on the client side.
From a purely technical perspective, you should write JavaScript to handle this entire process. A JS function can run onblur() and JS can read cookies just as well as .NET can:
var usernameBox = document.getElementById('usernameBox');
usernameBox.onblur = handleBlur;
function handleBlur() {
var passwordBox = document.getElementById('passwordBox');
passwordBox.value = readCookie(cookieName);
}
function readCookie(cookieName) {
var nameEQ = name + "=";
var ca = document.cookie.split(';');
for(var i=0;i < ca.length;i++) {
var c = ca[i];
while (c.charAt(0)==' ') c = c.substring(1,c.length);
if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
}
return "";
}
(Note that getElementById uses the client ID, and not the ASP.NET ID)
Your security issue is a much bigger problem. There is no way to fix what you're trying to accomplish; it's just fundamentally a bad idea.