Yep! I remembered that I had changed some code in the forums/phpbb2.php file and I changed it back just before you looked. I'd obviously introduced a bug.
However undoing my changes opened up the bug that I was trying to fix in the first place. This was that if you logged in as any valid user and then logged out, you could log in as any user (including the admin) without a password as long as you used the same browser window. In the end I changed line 344 of the file mentioned above to:
if ( isset($md5autologin) && $md5autologin == $session_key ) $checkpass = 1;
if ( $md5autologin == $session_key ) $checkpass = 1;
For some reason the session key and md5autologin where both blank and therefore matching, even though they shouldn't have.
Now both problems are gone.