Fix for 456, 424

[jomora]

This PR fixes a critical bug in the authentication mechanism. The solution has been provided by @sroeger in #463. Due to merge problems I implemented the solution again to have a clear and concise PR. I will #463 now.

Please review the changes!

[oasp-ci]

Can one of the admins verify this patch?

[hohwille]

I also reworked the review comments to finally finalize this fix. @jomora Thanks for your PR!

[hohwille]

For the record: of course I also tested and verified that now login is only possible with correct pwd.