The first, most dangerous, thing you're doing wrong is using the sa account for your asp.net application.
Set up a different account for your application. Grant it only the permissions it needs to function correctly.
And if your ASP.net application isn't getting the password wrong, which it almost certainly isn't, then something else is trying to connect to your SQL Server. Is it accessible to the outside world? You'll want to change that too.