From my testing:
1. If someone/bot enters a VALID username and an incorrect password, they are redirected.
2. If someone/bot enters a VALID username, a correct password and an incorrect Authorization code, they are redirected.
3. If someone/bot enters a username that DOESN'T exist and an incorrect password they get the "ERROR: Invalid username. Lost your password?" error message and are NOT redirected.
This seems a little illogical to me. After all, most bots start off by trying to brute force "admin" as a username. As no one with any sense uses admin as a username anyway, this means that the bot will get the error message and continue trying to attack the login page as per the third case above.
So the login hasn't really been "Stealthed" like in previous versions. Instead, it's pretty much like we now need 2 passwords to login instead of one.
Surely it makes more sense to "bounce" a bot off our site to somewhere else (thus reducing the load on our site) if the bot uses a username that doesn't exist or an incorrect password?