At least use HTTPS so that our passwords aren't passed in plain text across the internet. Or, like you said, implement some sort of OAuth2 login so we can log in with Twitter, Facebook, GitHub, Persona, etc.

(correction) looks like you can use HTTPS, but it is optional. It should be required on login page at least.