- i can register any email that belongs to others, and he/she will have no chance to cancel it
- i can register with the others' email and name it as something like "sucks", and he can never change the login name
- no way to recover when an activation email got lost
suggestion: solution a. create user after activation only (easier) solution b. introduce "drop account", account-rename, resend activation email (harder)