1. Brute force attack prevention
It appears that Discourse does not take measures to detect and prevent multiple wrong sign ins.
Good security practices should essentially be in core.
brute force attack is common attack, a successful attack mean the attacker had enough time and he was not detected.
The following method is to weaken this sort of attacks.
The system should keep track of fail attempt per account login
After 5 false login attempts, the user will have to answer Captcha challenge with the following attempts
After 10 failed attempts, transparently deactivate logins for this account for 24 hours
Ignoring the login silently at this point will make it even more difficult for that attacker as it will not know that the attempt was voided.
At this point even the legitimate user / the victim will not be able to login, The system will send
an email to the account owner letting him know that there was suspicious activity and regular login is suspended to protect him.
The email will contain a link to a tokenized login page that the legitimate user will be able to login from in the next 24 hours ( basically 2 way authentication )
2 . Session management - and remote logout
Allow the user to logout / destroy all open session,
This feature is to allow a user who logged on a computer (library, school, friend, apple store, and forgot to logout ( I can't count on one hand any more the times that I saw open hotmail/gmail session in public places.
3. Email change - should require password
It appears that changing an email does not require a password, for cases like section 2 above, it will make it very easy to hijack an account for good.
corrective measures
require the user login information before changing email or any element that has impact on the ownership of security of the account
4. Login with email only. (configurable)
Username are public information, for more security conscious setups. Allowing logins by emails only, will add another layer of security, An attacker will have to find out 2 secrets (1st the email associated with the account and the password)