“maybe go password less?”
To me, the password-less concept seems very much like simply making the "forgot your password" option the first or only option. It's like doing a password reset every time you log in. Not sure I like it.
Something I'd like to see is backward compatibility. For my purposes, NNF works fine as it is. So as you add layers of security for the blogging platform or for hardening forum access, I wouldn't want them to supplant the current system. Rather there should be levels of security that can be applied as appropriate.
One of the common use cases for NNF has been as a private forum. One thing I don't understand in that scenario is the appropriate method for meshing together login access to the restricted area with NNF's username and password. So when someone logs in to the restricted user area, their identity is seeded into NNF. If there is a good way of doing this, it may show the way forward as far as better security for a more robust No Nonsense platform.
The CMS software I use has an effective approach to dealing with both human and robot spammers detailed here: http://www.couchcms.com/forum/viewtopic.php?f=8&t=7047
It uses a simple question like "What color is a blue apple?" to confound spambots and checks the database at http://www.stopforumspam.com/ to weed out human spammers. NNF ingeniously uses a fake email input as a sticky trap for bots. If an actual email input becomes part of the security system, you'll need something to replace it.
I've gotta slip in a plug for CouchCMS. It's simple but powerful, fully customizable, open source, and actively developed by a friendly, helpful group of users and developers. You may find some useful ideas for your own project there.
Mailchimp and probably others provide free and easy to use RSS-to-Email capability. Since NNF is RSS-based, you can check that one off unless you want to write your own email management system. (yikes!) NNF as it stands could easily integrate email subscriptions. I post something to a blog and the next morning at 5am it is sent out to my list of subscribers as a fully styled html email. RSS has just moved into the background as a syndication service, with developers using it to push content rather than users actively pulling it. I'm of the opinion that it was passive users that gave up on RSS (damn them and their ignorance). But it's still there.
I think this list could be much larger. It's appropriate to leave all that cruft out of NNF, but when it comes to a blogging platform, who knows what you may want to share, show, or include? You don't want the platform to constrain you. I don't know, maybe tables, other video platforms like Vimeo, social crap from facebook, twitter, instagram, and so on. How about a script to open an overlay, or do animations? HTML5 video, form input, even flash.
My point is that when it comes to expressing yourself, there are endless possibilities and your platform should be open to them. You may start with some built in markup for common uses, but the blogging platform should be open to what the user wants to include. A plugin interface could be useful for extending the platform's capabilities. Couch also uses a system of shortcodes that allow a developer to create his/her own custom markup for specific purposes.
It's a lot to think about. All the best. Good talking with you again.