This could be interesting... If I know someone else's email address and create an account with that email address as username, and set a random password, would that prevent the user sharing that email address to login via email? because that check would get an invalid password. Well, I guess that's what should be done, but the error message shouldn't be a plain "invalid password", otherwise the user may be confused if the password is actually correct.
Topic on Talk:Requests for comment/Login via e-mail address
I'm afraid not. Because current implementation will only accept emails that already have been authenticated. So although someone have made an account with already-known email address, it will be ignored on authentication process.
I meant that someone could create an account with an email address as username. But well, now I see this shouldn't happen, since @ is not allowed in usernames, althought I'm sure that hasn't been always the case, and someone managed to create accounts like this in wikipedia.