`bcrypt.hashpw` returns the password hashed with the same salt,
not if the password matches the hash. So to check if the
password is correct, the hash thus obtained should then be
compared, and then verified.

Also, diaspora just doesn't hash the password using bcrypt, it
appends a "pepper" to the password and then hashes it. So, when
checking the password, the pepper should be appended.