Quick one: When I registered I used a very long password. It was accepted, but when I tried to log in (after the automatic login following the verification mail URL) I was told it was wrong.
I’ve experienced this before when two code paths are used for password capture and password use: if they have different maximum string lengths, then they won’t match on passwords which are too long for the shorter one.
Can you enforce the same limits in both parts of the code (and the interface itself)?