Is it good or bad practice to allow a user to change their username?

  • I have looked all over online as well as this site to try to find out more information regarding the security of this, but haven't found anything. In my particular case, the product is a website, but I think this question applies for any software that hosts a large number of users.

    I know there are numerous websites out there that allow you to change your username, but at the same time there are many that do not allow it. I'm sure some that do not allow it may be just for simplicity, but possibly for security as well.

    My question is just like the title asks:

    From a security standpoint, would you say it is good or bad practice to allow individuals to change their username?

    I currently cannot think of any reason not to allow it, given it is done properly (ie make it impossible for duplicate usernames, require inputting current password to make sure password requirements are still met regarding not containing username, etc), but I can't help but think there's something I'm missing.

    I know there are advantages from the user's perspective to allow them to change their username. An example would be if they set their username to their email address and decide to use a different email address later. Instead, I'm curious of the benefits vs risks regarding the security of the application and login process if you allow them to change their username.

    EDIT:

    Some of the answers bring up good points regarding publicly-displayed names, but to clarify, the question is not regarding any public display name, but instead the unique username used to log in.

    Interesting question. I don't think you need to forbid it to protect yourself from the users but you might want to limit it to protect the users against each other. Changing username can be helpful if you are trying to scam people on the site.

    The game marketplace Steam has plenty of people that do just that. The scammers change their username and picture to pretend that they are someone you know and ask you to trade your items to them. Steam has a feature that lets you see recently used names by each user, which is one way for a user to prevent themselves from getting scammed by such a trick. You could also potentially show details like how long they've been friends with the user or when the username was last changed to prevent this kind of scam too.

    Stack Exchange sites not only let you change your user name, but it need not even be unique.

    @Michael It's great, isn't it?

    Do you ask about user-to-server security (no effect) or user-to-user security?

    The question is tagged with "credentials" @Michael so I don't take it to be about display name only. You two Michaels don't authenticate yourselves to SE with the same "username".

    I think nowadays if the username is publicly visible and others have to use it to address someone then there's option to modify it. If it's sole purpose is to login someone other than using email, then it can be a constant.

    You could have a site which keeps base usernames static, but allows users to change their display name.

    One of the applications I maintain is a bit of a nightmare to change username as it's their email address - and this email is linked to a few legacy databases so it would need to be checked and reset in a few places with all the potential knock on effects! So it easier to disallow it...

    The only reason I can think of to prevent users from changing usernames is this kind of situation. Depending on the type of service you may want to take steps to prevent it but, overall, it wouldn't be a big problem a lot of the time.

  • fluffy

    fluffy Correct answer

    3 years ago

    Many people have looked at the reasons not to allow name changes from both a security and a community standpoint. However, there are plenty of legitimate reasons to allow username changes, even if the username is separate from the display name, for example:

    • Someone has changed their real life name or the name by which they'd prefer to be called, due to marriage, family situations, escaping stalking/harassment/etc., and so on

      Even in the case of it being simply a username, having to use an old name which carries trauma can further the trauma. Also, it is quite possible for a stalker/harasser to know their target's login credentials, and being able to change both parts of the credential lowers the attack surface; further, monitoring attempts at logging in to an abandoned username allows for building a legal case against a bad agent.

    • People have decided to move forward on a gender transition

      Being forced to use one's "dead name," even in the context of a private username, is also very traumatic. (I can speak to personal experience on this one.)

    • People have a username that they no longer feel suits them for whatever reason

      This has less of an implication for internal usernames but it's still better to err on the side of kindness, in my opinion.

    These are all important for user comfort, and in many cases people would likely just create a new account with the new name anyway, so might as well support it.

    Avoiding social engineering certainly is important but there are approaches that help to mitigate this, such as various forms of verification (as seen on several social networks), public-key cryptography, and profile indicators ("name last changed N months ago; name changed K times"). And, since this question has been edited to be regarding internal user names and not public display names, those concerns aren't even germane to the discussion.

    Also, keep in mind that many attack surfaces provided by someone changing their username is also present for someone simply creating a new account, and if a username change option is not available then the user will likely create a new account - possibly using the same password as the old one and otherwise doing things that might lead to compromised security.

    It is a good idea to maintain an audit trail of username changes and disallow the creation of new accounts that use a previously-used username (at least if the username was last used within the past, say, year), but there is no reason that the username should ever be the primary key used to associate data with the user account in the first place, because there are legitimate purposes for a username change and all account records should be normalized to an abstract internal-only ID in the first place.

    The nature of the community has some bearing too. If your usernames are essentially private (as in Gmail, or most non-social services that require registration) then allowing arbitrary changes is non-controversial. However if usernames are both public and relevant (such as on a discussion forum, blog, journalism site, or even SO) then allowing arbitrary username changes causes more problems than it solves and just facilitates trolling and evasion of accountability.

    Reason no. 3 apply to me. My username, email account, LoL account etc. is 'kukis13' . It is perfectly good username when I use it in my home country but since I moved to Sweden it has very nasty meaning. So I would love to change it but most of the services don't allow for that

    @aroth I recall one forum, that I was a member of, that allowed name changes. The new name/picture would essentially be retroactively applied to old messages, as opening the message would just load the current name/picture of the post's author. This could prevent some accountability evasion.

    Reason #4 the website the account is registered on has a hidden hat that's only triggered when you change your user/display name.

    While this answer currently has the most up-votes and definitely did bring up good points on allowing an individual to change their username, it still doesn't address the actual question of "From a security standpoint, would you say it is good or bad practice to allow individuals to change their username?" Think of for example a banking website or any other site where username is private and there may not be any public display name.

    @aroth - At least on SE mods can access an audit history of name changes, and regular users can usually work it out with minimal digging through previous conversations or the offending user's profile, making the effect on accountability (or evasion thereof) a fairly minor inconvenience. Plus, no amount of name changes will remove past flags or stop the auto-scripts from banning someone from asking or answering.

    @MichaelRichardson surely that's the case here, except @-mentions. It's slightly confusing when you realise that the post mentioning `@Alice` now shows up as written by `Bob`, but that's a minor UX issue.

    "any attack surface provided by someone changing their username is also present for someone simply creating a new account" - not quite, because a new account doesn't come with an established history. For example, it's probably easier to impersonate a Stack Exchange user if your rep has the same number of digits as theirs.

    Another reason, using email as username has been fairly popular. Using my college email address ended up not being a great idea for some sites since I can't access it anymore and any sites using it as my username cause problems when they need to email me.

    I have updated my answer in regards to the question having had its scope narrowed, as well as in response to some of the fine commentary here.

    @fluffy I asked this question on the Information Security site and thought I clarified my intentions of the question, especially when the original question ends with "I know there are advantages from the user's perspective...Instead, I'm curious of the benefits vs risks regarding the *security of the application and login process* if you allow them to change their username." I was probably focusing too much on the first half of your question, though, where you focused on points of user comfort, but indeed towards the end of your answer you did give answers regarding the application's security.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM