Working for a .EDU this has come up, but not for security reasons. Like many, we base our usernames (still stuck on 8-character limits due to the presence of older Solaris servers in our user's environment) on the real name at time of registration. Since we have between 19,000 and 23,000 active students at any given time this is done by an algorithm, so guessing what a given user's username is from their real name is not that hard. Depending on how you read the regulations (FERPA), this could count as a 'directory service' of the type that they have a right to opt out of.
This is the problem. If a user with a pretty unique name registers, Farheed Zakaria for example, the account generation process will assign them a username. That would be 'zakarif' in this case. Easy to guess. If you consider this a directory and they opt out, then we'd have to change the username. Changing usernames is a tricky process, and isn't automated. When students get married and change their last names, we do not change their username. We have staff that married in the early 90's that still have usernames that include their old last names.
So, goes the thinking, what if at account-creation we assign users with less easy to derive names? At the university I graduated from, the above name would be "zaka0008"; the first four letters of the last name and a numeric for uniqueness. That isn't easy to derive from the given name, yet still contains some identifiers to help users remember it. That would allow us to avoid doing account renames.
We haven't done this yet, since we haven't had a firm ruling of the applicability of FERPA to this situation. But this is a real world example of going to less obvious usernames.