(a) The user's email address should be used as the username.
PRO: The user doesn't have to remember yet another username for yet another site.
PRO: Email addresses are more or less unique.
PRO: Entering the email address does not require any new thinking on the part of the user.
CON: A lot of pain when the user changes his/her email address.
CON: If the user can share his username publicly on the site, he will get inundated with SPAM and other unwanted email.
CON: "Email address:/Password:" prompts mislead users into entering the password for their own
CON: It is easy to guess a person's account, and determine if they are a user or not, and even impersonate them if they use the same username/password for the site that they use for their email.
(b) The user should be forbidden from using an email address as a username.
PRO: Email address is kept private.
PRO: The user can change email accounts without disturbing his identity on the site.
PRO: Users who want to use their email address for convenience may be missing some of the subtle security problems caused by doing so--you are kind of protecting them against their own ignorance.
CON: Nice, easy-to-remember names get taken fast; the user is likely to forget what username he used.
CON: Users' anonymity often causes as many problems are it solves; this is why Amazon.com has the "Real Name" feature.
Interesting -- I just checked out what Amazon does, as a reference. Amazon uses email as the login. If you change your email address (and can't get into the old one), AND you forgot your password, you are SOL: you have to open a new account.
I guess that's the "lots of pain" part, but I don't blame them.
PRO: The user doesn't have to remember yet another username for yet another site. PRO: Email addresses are more or less unique. PRO: Entering the email address does not require any new thinking on the part of the user.
CON: A lot of pain when the user changes his/her email address. CON: If the user can share his username publicly on the site, he will get inundated with SPAM and other unwanted email. CON: "Email address:/Password:" prompts mislead users into entering the password for their own CON: It is easy to guess a person's account, and determine if they are a user or not, and even impersonate them if they use the same username/password for the site that they use for their email.
(b) The user should be forbidden from using an email address as a username.
PRO: Email address is kept private. PRO: The user can change email accounts without disturbing his identity on the site. PRO: Users who want to use their email address for convenience may be missing some of the subtle security problems caused by doing so--you are kind of protecting them against their own ignorance.
CON: Nice, easy-to-remember names get taken fast; the user is likely to forget what username he used. CON: Users' anonymity often causes as many problems are it solves; this is why Amazon.com has the "Real Name" feature.