I am runnig Apache with http. If run it with httpS and self signed certificate , Will it be better?
Yes it will because then your users' passwords will not be sent over the wire in the clear for any malefactor to read. It would be better still if your certificate were not self-signed.
I am also trying to add "onclick"funtion to my below login.html file to a give error message, if wrong inputs were entered. I am currently having them in login.cgi code. which way is better?
Note that neither of these questions have much to do with Perl. You might benefit from reading up on the general basics of web server (and web application) security first.