Sexchatting websites with no registration and no emails or username and no membership
If you use simple email based password resets, without extra checks such as security questions, then all they need to do is recover the password using the email address they now own and they have access to that person's account. So even if you login by username (and not email), you'd be in danger if email addresses are recycled.(You wouldn't consider yourself safe just because no periodic correspondence was sent that revealed the login identifier?At this point though, it would frequently require a tech support call.Depending on the type of system, using email may be a security vulnerability.As long as you do something like this then you should be all set.In the event that something happens and the email address cannot be recovered for lost passwords, I would recommend having some form of email or phone communication for account recovery."keeping track of the old user in system" Open ID and OAuth ..... Even less users to manage for them and it makes migrating in one place easier on a change. I would insist that the backup email address (an additional profile field) is different than the email address they are using for the user.
If you have ever managed any type of online forum before where users are required to respond to an email to activate their account you will find out quickly that it doesn't slow down spammers at all.In that case any other person may receive periodic correspondence from your organization.This lets the new user know that the previous user of the account used to have a login with your organization. I also have an account with a credit union and they don't use email either but instead use account numbers, which they never recycle. link that sends your username and a reset-password-link.Generally if they have access to the username that will probably have access to the email address as well because access to the username usually requires some database accessibility.If they have access to the database they have access to more then just the username. CON: It's one less insulating layer between the user and spammers.