I reviewed the Blender ID client and came across a potential security issue.
Basically using the client it is possible to use a brute force attack to receive email addresses which is contained by the system. It is then possible to use brute force attack for the passwords.
The issue is that when a login fails the server sends back username when the username does not exist. https://github.com/fsiddi/blender-id-addon/blob/master/blender_id/communication.py#L78
and the same for password. It is a normal pattern for user/password systems to not tell what failed during the authentication, but just tell it worked or it failed.
I checked the server side code
Basically the issue can be solved by having a client authentication using SSH keys for server to server authentications, but that will not work with the blender-id-addon as it is distributed with blender. Perhaps limit the num of tries before blocking blacklisting the client IP orso.