Hi Kathleen,
Yes you should use the VerifyPassword action. It's also used in the ChangeMyPassword flow in de Administration module so you can copy that setup. Don't go copying and saving the password in other fields as it is indeed a security risk.
Password for the Account are hashed , so its not easy to decrypt it .
what I suggest while creating user and saving the user info take the password and copy in new attribute in Account entity .
You may feel its security issue ,Better use encryption module and encrypt the password and save in attribute . While comparing as
per your user story decrypt it and compare with New Password .