Changes since DRUPAL-5--1-5:
- #564062 by Matthew Davidson, hunmonk: Admin created accounts should have password length validation.
- #591714 by hunmonk: Pre-auth actions should not be taken when users can't set their own password.
- #600100 by hunmonk: one-time link in password reset email should validate the users account.
- #491484 by iva2k: Better wording for one-time login link.
- #555022 by hunmonk: login case in hook_user gets empty edit array.