[ryanbrunner]

That's fine though, sending a forgot username / password e-mail is much simpler to do without exposing the fact that you know their e-mail (just send a "sorry, we don't have that e-mail on file" to the e-mail address if there's no match)

I agree that e-mail makes for a better login experience, but if exposing who uses your site is too much of a privacy concern, I'd rather move to usernames than have to implement awkward user experiences to never reveal whether someone is a user or not.

[pdkp]

I think a lot of sites already do that, although they may not send an email saying 'sorry, we don't have that e-mail on file,' it is pretty common to get a 'if that email exists, we have sent a reset e-mail to it' message when you do a password reset that doesn't expose if the email exists in the system.

Although to the point of this article, they will then happily tell you you can't use an email during signup, so it is a mixed-bag.

I suppose if you allowed multiple usernames per email, you could just email them all the usernames that they have on that email address when they forgot their username, but that seems like a clunky setup. It probably depends a lot on the service though, as someone posted a link to a discussion from 2014 about Amazon's reasoning for allowing multiple emails elsewhere in this thread, which makes a bit of sense for their use-case.