I think this is the result of switching from HTTP authentication login to forms login. Perhaps we should have a captcha on both the register page (so we don't get our database filled with bogus users) and login page (so we catch everybody).
Or maybe switch back to HTTP auth-based login? -waddlesplash