revisiting an expired link or getting the email wrong reports "Invalid e-mail and reset key combination."
9002 character long passwords are accepted but cause an error when logging in, so this still needs review to figure out what's up (and/or telling AUR they've got a bug)
Forms not profiles on password registration, from least to most likely to justify profiling in the future:
Stray observations