Expanding on the security aspect, let's assume the logon ID and Password fields are 30 characters and 25 characters in size, and you can use only lower case letter, upper case letters, and numbers. That means you have 26 + 26 + 10 options for each location which adds up to 62 options.
In empty fields the total options is 62 to the 30th power then 62 to the 25th power - both of which are huge.
If an intercepted signal shows you use 13 characters for one field and 19 characters for the other field and shows which is which field that reduces the options a great deal to 62 to the 13th power and 62 to the 19th power. And that's before you get into the situation that most of the characters are already known.
If, like is common, the email address is the ID, knowing most of the field means that can be easily checked out and the proper address located by other means, most of which are easy. If that proves to be the reject, then it's likely they now have both.
As to a rejected email be found out, say you enter email@example.com (a common type error with the n and not the m) then the error is obvious - correction is obvious, case solved. Most such errors are damned easy to resolve through such an obvious error or sending a few emails out.