I'm using the 'admin verification' method to vet all new registrations. However, I found that new users can simply get around this by taking the following steps:
(1) Register a new account
(2) Try to login. This doesn't work because you haven't received the password email yet.
(3) Click 'lost your password?', fill in email, and wait for password mail to arrive. This mail includes the username (something like
unverified__e795g4md) and a generated password!
(4) E voilá, login.
This seems to me to be quite a serious bug. Unverified email adresses shouldn't be able to request their password.