If I remove the password field completely from the form, it will pass the valdation(if user exists in the users table). Are you saying that it should give error already with the from_array($_POST,'username','password') ? Well it doesnt
I just checked the code and there really is nothing more changed than a) I dont use htmlform extension, just plain login form. b) redirects point to another controller on succesfull login(not welcome page).