On my site we require every user to pick a username, but users can log in with their username OR email address. This allows us to keep email addresses private, but also makes it easy for users who just can't or dont want to remember their username.
It's a simple regexp in your login controller to figure out if what they typed in should be checked against the email address or username field in your users table.
On most sites it's difficult for a bad guy to discover the email addresses of your users (they're private). It's trivial to discover the usernames (they're public). With thousands (or millions) of users it's not hard for a bad guy to find accounts with weak passwords. Probably wise to make sure you have decent password constraints and a way of preventing brute-force logins.
It's a simple regexp in your login controller to figure out if what they typed in should be checked against the email address or username field in your users table.