Account registration allows malformed data to be added to the password file
Trac account registration lets users (mostly spammers) put a \r in their username or password. It's frequently added at the end, presumably as part of some newline convention confusion. This is written straight out to the password file, where it confuses future attempts to read it. Fortunately the damage isn't catastrophic, but the particular credentials with the \r end up unreadable, and an error is written to the log each time one is encountered.