There are so many, many things here that I hardly know where to start...
Let's start with the really dangerous one, shall we?
Do not concatenate strings to build a SQL command. It leaves you wide open to accidental or deliberate SQL Injection attack which can destroy your entire database. Use Parametrized queries instead. Particularly with your login code which not only lets me destroy your database, but allows me to log in as anyone at all without a password, simply by adding four characters to the end of the username when I enter it:
';--
Second, let's cover the way you store passwords: Never store passwords in clear text - it is a major security risk. There is some information on how to do it here:
Password Storage: How to do it.[
^] - it's in C#, but it's pretty obvious code.
Finally, why doesn't your code work? If it was relevant - which it isn't, because it all needs ripping out and throwing away to fix the other two points - do you really think my old password is always going to be the same as my username?
ElseIf txtcpoldpassword.Text <> username Then
MessageBox.Show("Invalid Old Passsword")