It's not case-sensitive, also your request is sent as plain text to the server which is big lol if someone on same network monitoring
https://prnt.sc/1tr5yn1
thats why javascript crypto (cipher) libraries exist, to be used for masking of this plain data before request is sent
2fa on website can by bypassed if you have logs of last authenticated (successful login) browser (including version) and ip
ingame you only need the ip address (I have logs from people trying to log my account ingame with ip "0.0.0.0" which basically routes to default server ip and if the 2fa excluding 127.0.0.1 (localhost) or its public ip(s) from the list on login attempts - there you go)
I guess you should change your password more often at least because of last 3 public dumps of warmane database in recent years