While I'm not necessarily all that impressed by this, your specific criticism doesn't seem to be valid. It appears that n accounts are pre-created with null information and assigned out as needed. When those are about to get used up another n are created. There would appear to be a possible attack on a new account by creating lots of dummy accounts to have a big chunk of the password space under your control, but that seems like a pretty uncommon circumstance.
What I like about it is that it seems to protect stupid users from themselves. All the salt in the world doesn't do much for people who just use "password" for their password. It will still fall in the blink of an eye. We often seem to have the opinion that they deserve it for choosing a poor password, but it's still a compromised account.
The threat model is very limited to "attacker got the password hashes", but that is a common threat currently. If you're going to pick one, that's not a bad choice. It's biggest issue may be if tomorrows threat model is significantly different.