Why is there a minimum username length?

  • In some (web) applications there is a minimum length for usernames, usually there is a restriction for a minimum of 6 characters length.

    For example, free gmail accounts and miiverse (Nintendo social network).

    Why is there a minimum username length? And why a minimum of 6 characters?

    A guess would be that they want to reserve some special ones for themselves, [email protected], [email protected], [email protected], [email protected] Or they just don't want to deal with many many collisions that would happen. I wonder if there are more "valid" reasons.

    First off I don't want nor need a mommy to watch over my accounts. I can handle them quite well. I wish to use my FCC legal amateur radio call sign as my email name(5 characters). It was issued to me and, to me only. Anyone found using it any form of communication, without my permission, is in direct violation of the FCC rules and subject to a very large fine if they persist. I find this argument of small names are more likely to be spammed to hold no merit. I get tons of spam with longer names. The spammers can glean out the email addresses extremely easy. Many sites are setup to look legitim

  • bethlakshmi

    bethlakshmi Correct answer

    7 years ago

    I agree that having a longer or shorter username should not be a point for making your account more or less secure. That's what the password or any other proof of identity should be doing. The username is just a way of addressing you and it's totally public.

    The only requirement is that it be unambiguous - you can't have two people using the same username.

    I will say that there's probably a value to starting the number of required characters at some minimum limit as a way of resolving contention over very short, very easy to remember usernames. Forcing everyone to go with at least 6 characters is a good way to keep users trying to set up their usernames from thrashing through all possible < 6 character options only to find that all of the have been taken. Cutting down the frustrated users is a big deal on a large scale system like Google - which is also why you see suggested usernames to help you try to find something that's available that you can live with.

    I'd believe them when they say that spam is an issue on short usernames - the smaller the address space, the easier it is to cover, and I would not be surprised to find that spammers can cover the < 6 character username space pretty efficiently. I'm not sure I believe the "it's for your own good" line - I think it's for Google's own good. If they can simply deny ALL email that comes in for a username that is less than 6 characters, that's a nice chunk of traffic to be able to flat out deny without further matching needed. The more clever your spam filters, the more resources they can take to execute, so being able to flat out deny any chunk of your username space has got to be a win.

    I'd agree that in a small userbase - like a private domain or a small company - it's probably less valuable as you have neither the large size user base nor the huge level of traffic/storage requirements of a social networking site.

    As an extreme example of the "contention over very short, very easy to remember usernames", I offer http://arstechnica.com/security/2014/01/picking-up-the-pieces-after-the-n-twitter-account-theft/ in which someone stole the Twitter handle @N by holding the rightful owner's domains hostage. According to the original owner's article (linked from the above), the handle was valued at $50,000 at one point.

License under CC-BY-SA with attribution


Content dated before 7/24/2021 11:53 AM