diff --git a/server/login.go b/server/login.go
index f82cca982310eb47eea279a564af92f38e26f52d..d840a0b1b47515c607cac193761e7baf61f6ad24 100644
--- a/server/login.go
+++ b/server/login.go
@@ -199,7 +199,8 @@ func (l *loginHandler) dispatch(w http.ResponseWriter, req *http.Request, sessio
 
 // Handle password-based login.
 func (l *loginHandler) handlePassword(w http.ResponseWriter, req *http.Request, session *loginSession) (loginState, []byte, error) {
-	username := req.FormValue("username")
+	// Case-fold usernames to lowercase.
+	username := strings.ToLower(req.FormValue("username"))
 	password := req.FormValue("password")
 
 	// If the request is a POST, attempt login with username/password.