[gruez]

>If instead of a username, an email address to register, that generally results in one less degree of freedom [...]

It "generally" doesn't, because the average user isn't randomly generating usernames per-site, just like they're not randomly generating passwords per-site. If they're randomly generating usernames per site, they'll need some sort of system to keep track of it, which is 90% of the way to using a password manager (and therefore randomized passwords, immune to credential stuffing). For it to practically make a difference, you'd need someone who cares about security enough to randomize usernames, but for whatever reason doesn't care enough about security to randomize passwords.

[cxr]

To start with, randomly generated usernames weren't mentioned, and they are not a prerequisite.

> It "generally" doesn't, because the average user isn't randomly generating usernames per-site

What other people do, whether average users or not, doesn't matter. When average user Alice is registering accounts on Websites A and B, the fact that average user Bob doesn't use different usernames for his accounts doesn't change the fact that if Alice would have otherwise registered account agirl on one site and pie_maker26 on the other, but instead has been forced to enter her email address, then that has a non-zero effect on risk.

For the claim as stated to be untrue, the difference in risk would need to be zero.* But it isn't zero. The claim as stated is true.

> For it to practically make a difference, you'd need someone who cares about […]

That's not true. Users who are exposed to lower risk by accident are still exposed to lower risk. It's not a prerequisite for the user to care at all, nor does it require them to understand any of this or to be trying to adhere to any particular scheme to achieve a certain outcome. The only thing that matters is what they're doing—and whether what they're doing increases or decreases risk. Intent doesn't matter.

* or it would need to be somehow less risky when email addresses are required in place of where a username otherwise would be, but that's not the case, either

[gruez]

>To start with, randomly generated usernames weren't mentioned, and they are not a prerequisite.

I've seen sites randomly generate passwords for users as well. Does that mean users reusing their passwords at all is a prerequisite? Moreover if we're really accepting "whether average users or not, doesn't matter", I can also say that using emails doesn't decrease security because you can use randomized emails, as others have mentioned. At some point you have to constrain yourself to realistic threat models, otherwise the conversation gets mired in lawyering over increasingly implausible scenarios. For instance, by asking for emails at registration, you can more easily perform 2fa, whereas you can't do that with only a username/password combination[1].

[1] before you jump to say "but can ask for an email with username/password too!", keep in mind the original claim that username/password is better was in response to a comment asking "Why must apps require email?".

[cxr]

> I've seen sites randomly generate passwords for users as well. Does that mean users reusing their passwords at all is a prerequisite?

What?

> I can also say that using emails doesn't decrease security because you can[*] use randomized emails

That _doesn't_ _matter_. Viz:

> The only thing that matters is what they're doing—and whether what they're doing increases or decreases risk.