Earlier this year, when I went from having only Facebook-login on Wishy.gift to allow registrations with email address and password, one of my concerns was how to implement this is a way that protects the data and privacy of my users. I don’t have any ads or analytics on the site, the users can select whatever display name they want, and I never stored the email addresses I got from Facebook when a user registered or logged in - only a hashed[1] version of the ID. Email addresses and passwords, on the other hand, are a whole other beast, and the consequences of a database breach much worse.