The last of the four assertions is intended to record the fact that we
don’t currently check the hash of a “simplified” (here: lowercased)
version of the password. We might want to do this in the future, but in
my opinion that should then be a deliberate decision, which includes
updating the test accordingly.