Login password check accepts any password

[OrdinaryJellyfish]

Currently, the password check on login will check no matter the password entered, even if it is not the user's correct password. This could allow someone to enter a pwned password for any account and lock it down. The reason it does this is the check currently uses the CheckingPassword event, which triggers before the user's password is validated, and not after. What would need to be done is the code moved to an event/middleware/etc where it can be made sure the user's password is correct before checking against the database.

[OrdinaryJellyfish]

Fixed in d607d79