More and more websites are allowing or requiring users to input their e-mail addresses to be used either as identities or for other purposes. Although username-based identity and password problems resulting from user behaviors have been a research focus for quite some time, the serious issues related to using e-mail address as an identity and the associated online behaviors of users have not been well investigated in the literature. In this paper, we discuss and analyze security and privacy problems resulting from the use of e-mail address as identity via well-designed user behavior survey and by investigating website's design schemes. Our results illustrate that using e-mail address as an identity poses high security and privacy risks. This is mainly because of the multiple usages of e-mail addresses and users' improper online habits. Moreover, we discuss the drawbacks of existing solutions for e-mail address as identity and related password problems, and present two potential solutions that may secure online identity management systems in future.