[dredmorbius]

The most effective method I've found has been to start using a Google service and wait for it to be sunset.

Other than that: yeah, I've generated and set some very long (40-80+ chars) passwords which I've promptly deleted from my own records on occasion. I don't think I've swapped out email addresses though that's an option. I could see that resulting in an account being hijacked though, depending on how email addresses are handled in the account-recovery flow.

[klyrs]

Every place I've used that, email addresses are not publicly visible. To compromise that, they'd need to guess the very long random email address and its very long random password.

[dredmorbius]

I've seen instances where the password recovery workflow indicates the email address to which a reset request has been sent, or other mechanisms by which addresses may be revealed.

That's far less frequent now, and definitely not best practice.

However there may also be bugs and data breaches which reveal such information.