[markyc]

actually, in the same paragraph he goes on to say:

In any case, if a login is required, take the absolute minimum of necessary information, ideally only a login name and a password.

maybe better than a login name and password, make it an email address and password. email address seems pretty vital for any kind of future communication

[dingaling]

> email address seems pretty vital for any kind of future communication

That's actually a reason many users don't like supplying an e-mail address. They don't want an ongoing relationship with a website, they just want to buy a box of widgets today. What I do in that case is provide a customised e-mail address and then blacklist it after the item arrives.

As for using e-mail address as the account identifier, if you do that please ensure it can be changed everywhere in your system.

I recently moved to a new domain ( cheaper annual renewal ) and whilst Amazon and eBay were painless for changing e-mail address, many other large operators were messy. Tesco, for example, is still sending half of its communications to my old address.

[mscharrer]

Some sites let the user provide a email address in order to allow password reset, but don't force it. I think this is a good practice.

[yoz-y]

Marco Arment has had problems with this and resumed it quite nicely in the Overcast FAQ (scroll a bit down for the relevant part): https://overcast.fm/skeptics_faq

[soft_dev_person]

If you have any kind of non-tech savvy users, it's a terrible practice, as you would be flooded with support requests on how to get into their accounts with no way of verifiying the actual owner.

[markyc]

yes.. even having an unconfirmed email address can get really messy when you need to get in touch with someone but just can't because the address is invalid