Presumably because you would need to have an indexed database of the hashes, which is yet another thing that can be hacked?
How come Safari doesn’t leak enough info? I know nothing about this topic but AIUI the only way to do keyboard fingerprinting is to time the keystrokes somehow, with millisecond resolution. But didn’t browsers do something very recently on the timing front, to block the Kaiser / Meltdown exploit which of necessity relies on accurate timing?
As regards other means of user fingerprinting, there is a ton of methods. There was one website (which now escapes me) which you went to and it produced a breakdown of all it can see about you, e.g. browser type, screen pixel size, java version, about 20 other things. It then calculated how unique the ID is (based on e.g. how many Chrome v41.5.6 users were running a specifies combination of plugins etc etc). And it very quickly got to c. 99.99%. So even if someone clears their cookies on every visit, they are still about 99.99% identifiable… well for a while until their browser gets an update etc. But the server then has to keep all that stuff in the logfiles and index it all up; I am sure most forums don’t bother.
And all someone needs to do to defeat all that is to use a different client device on a mobile IP. I have just had someone create their 4th character this way (he didn’t last long because he started posting his usual trolls). Or if they want to do it all from their home PC, they just need to run a throwaway browser instance in a VM and going out via a VPN terminating in the Peoples’ Republic of Cameroon (yes this is a real example too ). I’ve seen one chap (who created about 10 identities) use the TOR browser, but his alter egos were a dead giveaway because who would be browsing a special interest (technology related) using such a heavy duty method intended for illegal activities, and whose IP really does map to various African countries?
We had one guy who ran two characters, one polite and one who posted rude stuff, including one post which IMHO would have resulted in a police visit (to us), but in hindsight he would have been detectable simply on cookies. I think cookies are a powerful enough method, and throw in the IP for good measure.
Regarding the user’s post count, it was something I recall seeing when testing the sample installation. If it is not shown, I apologise!
Would a CSS change really suppress it? I ask that because I recall one forum I used to visit years ago (another technology one) which had a “print thread” feature (actually printing threads is where most forums, along with most other websites, fail miserably, but I suppose not many people print nowadays… although one may want to print to a PDF) and when you used that feature, every user’s email address would appear for about 100ms Someone malicious could have written a spider which grabbed the stuff, for whatever dodgy purpose.
Had Discourse had proper functionality for moving posts from one thread to another, with links to posts retained (which AFAICS requires the link to be the unique post ID # from the database, or some long hash of something) we would have probably bitten the bullet and gone ahead with the move.