Ian Bicking on his blog:
The dots in usernames and passwords encoded in URLs are now escaped (so http://www.mozilla.org:roadmap.html@evilscam.net/ becomes http://www%2Emozilla%2Eorg%3Aroadmap%2Ehtml@evilscam.net/), making phishing scams easier to detect (bug 240754).
This is a much more clever solution than simply removing the ability to specify usernames and passwords in URLs (something which I do in fact use every so often).