As reported by user1 and via elexis in #5727, once logged-in, one can change the case of their nickname and still log-in (so long as one doesn't actually retype their password).
This is because jabberd usernames are case-normalised when comparing : https://xmpp.org/extensions/xep-0029.html
However, our password hashing uses the raw username.
To fix this, we should canonify usernames that go into hashing. However, this will break all existing passwords.
It seems like a good time to do the migration to a stronger encryption scheme, which this diff doesn't attempt yet. If anybody wants to commandeer, feel free.