One suggestion, to avoid typos when entering the new pwd, perhaps you should use either a duplicate field for them to enter their new pwd, or force them to log in after they enter their new pwd .
Most systems ask for password confirmation when signing up. What were the reasons why Discourse chose not to? Can this be made optional?
Discourse forces every user to have an email address and allows a pretty painless password reset, so having a typo in the password isn’t really a problem.