Can you look for any evidence in your server logs or auth_event table? Don't forget that sometimes trunk is actually more secure because fixes don't get "back-ported" to stable.
Seems like we might need to see more code (ah, Massimo asked for such). What does this do? settings.login_method = 'local' --