You need to include message/field lengths. That way you can avoid classic problems such as "what happens if the password contain 00x3?".
I'd suggest something like this (this is only a guide, adapt it as you see fit):
It's important to use a length indicator, as socket input to your program will appear as a stream of data. One call to recv() isn't going to get you one complete message. If you want to know more, ask (or read a TCP/IP programmers book/reference)
Where AAA is a message length indicator (always 3 bytes, padded with leading zeros),
B is the message type indicator,
and C is the message.
007 - 7 bytes of data coming up next
U - User id follows
HAMMER - the user (duh!)
009 - 9 bytes of data coming up next
P - Password follows
SeCuRiTy - the password.
Of course, you may want to consider some form of encryption if you're sending passwords over a socket.