Previously each protected path had a separate rate limit. Now they're all in the same bucket, so people are more likely to hit one with register->login. Increasing to 25 per 5 minutes should be fine.
* Add rate limits for logins and sign-ups by IP (5 in 5 minutes)
Should be enough for normal attempts
* Add rate limit for forgotten password form as well