What should the character limit(s) for first/last name inputs be?
We want to create input fields for a user's first and last names. What should the minimum and maximum limits be, if any, and why?
None. No limits at all, upper *or* lower. If you set a limit then there will be people who can't add their details correctly. What is your reason for wanting to put limits on there? Worth a read is the classic post falsehoods programmers believe about names
I voted to close this question, as it is about implementation, not user experience. This would be better suited on SO or DBA.SE.
@JonW - Database data types have limits. Therefore, there *has* to be a limit. Whether it's `VARCHAR(200)`, `VARCHAR(2000)`, or `VARCHAR(MAX)`, it's still a limit.
@CodeMaverick: Well yes, and an `INT` only allows integers. But you wouldn't use that as a data type for a persons name. The type of data being taken should lead what data type is used to store it, not the other way around.
@JonW - Riiiiiiight ... hence why I used `VARCHAR`. You could also use `NVARCHAR` to get names with Unicode chars. Point is, you have to have a limit. No limits is an impossibility.
@JonW None of those falsehoods, while interesting, address length. The reason why you want to put a limit on fields is for security purposes. Say you have code that sanitizes input but an attacker finds a vulnerability in that sanitation that allows them to execute arbitrary code. If your input field doesn't allow them to enter more than 100 chars, then it decreases their options for exploiting the vulnerability. It is entirely reasonable to say that names should have an upper limit in length. If the field is required then obviously the lower limit is at least 1 char.
The question here is really what is the shortest length possible while not hindering usability, which is a valid UX question.
@CharlesWesley: Yes, but these are all implementation issues. From a pure UX perspective the moment you set a limit you're imposing a theoretical restriction on certain people using the system. Whether anyone actually meets that restriction is a different matter. Although with names people are free to be named anything.
@JonW - Let's say you want to accept all possible data to be stored as a name. You'd agree that in order to do that, we would have to use a Unicode data type like `NVARCHAR`. Then, let's take the maximum storage size allowed for that data type in SQL Server; `NVARCHAR(MAX)`, which is 2^31-1 bytes, or 2 GB. Are you saying that's imposing a restriction on certain people? I think not. Not to mention, the longest name recorded by Guinness is 226 characters long.
@JonW users only exist in a world that is full of limitations. Users are limited in their ability to see colors, move mice, hold devices, very bright or very dark environments, etc. good UX seeks to mitigate those limitations in a way that affects the user the least disruptive way possible. This case is just another manifestation of UX having to operate in a tangible world with tangible limits that need to be accounted for. (as an aside I very much enjoy the discussion)
For an XSS exploit 100 characters are more than enough, so using security as an excuse to limit the length is nonsense. Also for what intention are you collecting the data? In most cases, when for example sending letters, it is easier to ask for the "full name" instead of first and family, for the "full address" instead of street, number, zip code, city, country, etc.
If the only problem is your database, pick a large number like 1000 characters or so. Still easy for a database, and not really a limit at all otherwise. It's more important to avoid having "first name" and "last name" fields since there a *lots* of people whose names don't fit into such a scheme.
Regarding the close for reasons of implementation: the question is not HOW to limit the length of fields. It is WHAT should the limit be.
In theory the correct answer is no upper limit for name lengths. Allow the user to enter whatever their name is using whatever characters are available to them so that you will never run into a circumstance where someone is prevented from entering their valid real name.
In practice that is not possible to implement.
There have to be limitations.
These limitations can be subjective, such as what constitutes a "real" name so that you don't end up with names like :
To this end Facebook, for example, has a fairly straight forward set of constraints they enforce:
Names can't include:
- Symbols, numbers, unusual capitalization, repeating characters or punctuation
- Characters from multiple languages
- Titles of any kind (ex: professional, religious, etc)
- Words, phrases, or nicknames in place of a middle name
- Offensive or suggestive content of any kind
Length is not explicitly mentioned, however according to this SO post the limit is currently 50 chars.
In Active Directory the
Display-Nameattribute is limited to 256 characters.
These are just two examples that vary. You could research multiple services to see what their length limits are, but the truth is you need to decide for yourself what is acceptable.
But why have a limit at all?!?
There is one limitation that is not subjective: security.
Any interface that accepts and internalizes user input absolutely must without question treat input as a threat that must be validated and sanitized. Input should be validated to ensure it is of the correct type, length, format, and range.
Input should be sanitized to prevent little bobby tables from ruining your day. But in the case where a weakness in your sanitation is discovered, the validation step (including checking for length) offers protection by limiting how the attacker can exploit a vulnerability.
There is another objective limitation: storage capacity.
There is nobody in any culture in the entire world that has a name that is legitimately 1,073,741,823 bytes long (the upper bound of a
ntextdata type in SQL Server). But even that is a limit which is a technical limitation of the data store.
So what should the limit be?
The problem is that no limit is not an option for several reasons; some arguably subjective while others objective, real, and unavoidable.
But we also don't want to have users be unduly constrained.
A well designed system will ensure that both needs are met without the user ever knowing that there is a limitation in place to begin with. It should be transparently secure and usable.
To that end, I think a reasonable limit should be (arbitrarily) 25% longer than the longest name in your current data set. Given a large enough sample, that should ensure you will be giving your users enough breathing room but not allowing a malicious user to try to exploit your system.
Let's hope that Jensen Jay Alexander Bikey Carlisle Duff Elliott Fox Iwelumo Marney Mears Paterson Thompson Wallace Preston doesn't need to sign up!
Sure, however even that is only 107 bytes which would be perfectly acceptable in Active Directory, and would leave 1,073,741,716 unused bytes in an ntext column.
@JonW - That's only 107 characters long though, and like I said up top, the longest name recorded by Guinness is 226 characters long, which is well within the limits of string storage in any database.
It may also be worth considering the UX implications of _displaying_ arbitrary length names.
Excellent point @DanBryant -- I think the Facebook policy is aimed squarely at that aspect of the issue.
@CodeMaverick - that's living person. If this Wikipedia article is to be believed (Google books has the 1978 Guinness world records book scanned, and a search inside does show him being in there, so unless Guinness got played, it's real) then at least 750 characters would be appropriate for the full name. If you're going to set a limit I'd go with 1024, but then I like round numbers.
@MichaelKohne - Sure and the whole point is that even the longest of names will eventually run up against a limit.
Hyphens should be allowed for double-barrelled names; I'm sure Jean-Claude Van Damme wouldn't want to have to do the splits on his name :)
I hate Facebook as an example because they do not allow even common punctuation in names. The dot in my name is a bit unusual but I have friends who are unable to enter their actual name which legitimately contains characters Facebook doesn't like. I hope @NogaNitzan's implementation considers the character set as well as the length.
I know I'm a late comer, but when talking about security all input that is, can be, will be, or might be altered by users should be in a prepared statement; will this not mitigate the security risk of a username, for instance say they put in ' a OR 1=1; drop * tables' their username would simply be, ' a OR 1=1; drop * tables', the name should never be in an environment where it can run, right?
Given the diversity of names, I wouldn't...
- set a floor or ceiling limit on name length,
- OR even break the name into two separate fields.
Depending on the country / cultural background of a person, they may have a more Westernized [first-name] [surname] name, but they may not. Why possibly bar users from entering their complete name because of arbitrary limits?
If your reason for splitting the first and last names into separate fields is so you could possibly address a user by their first or last name, I would suggest providing an additional, optional field for the user asking for their nickname or how they would like to be addressed.
Could you show us all how to not set a floor or ceiling limit on name length? What data type do you use to store an infinite amount of data?
First-name surname split into 2 different fields is also really annoying even if your name does fit into that paradigm. Most people instintively type their full name (it's an automatic thing almost like a signature), and then have to go back and correct it to split into 2 fields.
If you don't set an upper limit, some smart-alec is going to come along and drop a copy of the King James Bible in the name field.
@Mark Nice hyperbolic example there. So to ward that off, I should set a maximum 30-character limit?
If you want. Personally, I'd set it to something more reasonable, such as 255 characters.
@CodeMaverick Technically that's an implementation-related question. This answer is a response to a UX question.
50 characters (of which 15-25, depending on layout, are visible in the form input field) for the family name should be plenty. It's what works well for me, anyway. For consistency, one should assign the same amount for the first name(s).
I decided for the number 50 a decade or so ago because the longest realistic name I could come up with ad hoc was 15 characters, and 3x15 = 45 (3x for being safe), rounded up to 50. I've been using that magic number since then, and so far not had any complaints. Not expecting any, either.
Yes, in an ideal world, there should be no limits, and every limit that you choose is "wrong" the moment you choose it. We, however, live in a real world where storage (and screen space) is finite and where forms need to be laid out in a sensible, meaningful way.
If your parents decided to give you a 350-letter name, the clerk in the register office will tell you that you're out of luck getting a passport with that name as well. No, they're not going to make an extra-large passport just for you.
The longest claimed surname assigned to an alleged person has 35 letters, although the name ("Wolfeschlegelsteinhausenbergerdorff") looks much more like a hoax than a real name. Though it might be a real person who deliberately chose such a name for making himself important, you can never know.
I doubt it, though, since in particular when you look at the well-known meme Wolfeschlegelsteinhausenbergerdorffwelchevoralternwarengewissenshaftschafers [...] which is not a German name but an entire narrative in some kind of pidgin German that roughly translates to something like "... who a long time ago were diligent shepherds whose well-maintained very diligent knitter-free and protecting gear which [another 3 levels of indirections, and more nonsensical blah blah]", it appears as completely made-up bullshit.
It's admittedly a slightly different story for Mr. Preston from Lancashire, who to all appearances is a real person with an insane parent (or two insane parents), but actually not so much different.
Mr. Preston will not be massively impaired (nor will there be a chance of confusing him with someone else) if he can only enter "Jensen Jay Alexander Bikey Carlisle Duff Elliott" for his first name(s). He will likely only want to use "Jensen Jay" or "Jay" anyway, and curse his father every time kids in school make fun of his names.
Even most existing names for locations (which are generally much longer than names given to people) can fit into 50 characters, with the Maori name of a small hill in New Zealand being the exception. Since there's only about 60,000 people speaking that language at all, and most people on the planet probably have never heard of that unimportant hill, that's rather neglegible.
Every other existing location's name on the planet will fit into these constraints at least with its short form (1 place in Wales) or completely (every other known place).
Based on the type of the application you may want to select an upper or lower limit for the names. The upper limit though a tricky approach the lower limit may be 1 char since the person may choose to write an initial instead of the complete name. If your system requires a name then obviously you wouldn't want the user to exit without entering a name at all.
Selection of the upper limit on the chars will also depend on the kind of implementation and the target audience that you expect to host.
If your implementation is of the social networking order you can let the user set an exceptionally long name, well it is social networking so you can't restrict the user from going crazy. However you can guide him/her by restricting to a certain upper limit (else they may want to insert a 1024 chars long post as the name itself). Increasing UX is highly important but then there's always the trade off somewhere so if you remove the concept of the first and last name and provide a single field for name with say 300-350 chars as an upper limit it will be long enough to experiment and yet short enough to keep you site sane.
For a semi/non social networking order where you expect people coming expecting some information and that they may be kind of serious (atleast not in the social networking mood) then they may prefer keeping it simple and realistic when it comes to names. You may choose to set a limit around a safe 100-125 chars for each of the first and second name. It is pretty evident that we cannot judge the kind of names that we may encounter hence will have to be generous in limiting it.
Moreover you may want to restrict the use of special characters in the name (again based on the implementation), although this may not be related to the question that you asked but it was popping up in my head time and again so just shared it.
None of this really says *why* you'd set these limits. What does 'short enough to keep your site sane' mean? What are the 'implementation' issues that would necessitate character limits? (and that's more of an implementation issue that you're transferring onto the user rather than dealing with it technically). I also disagree with restricting special characters. Again, *why* do this? There will be people with `á`, `'` or `&` in their name. And certainly with brackets `()`. Also how does having a limit 'guide him/her by restricting to an upper limit' work? What are you guiding? And why?
Hey JonW, I did not mean to offend you. Okay I'll try addressing to the points one at a time. By short enough I meant that if your site hosts a multitude of users who may be shown together (let say as result to a search) then if we have like really long names (say ranging into 1024 chars) then primarily it may ruin the UI and also the UX associated with it may be hampered. By implementation I meant the nature of the site/ application, which can help the UX designers take a call on the kind of target audience they can expect and kind of interaction from the audience.
About the special characters, if we take the example of a professional website say LinkedIn.com where people interact on a professional basis if we have some users with names like [email protected]@n or Ron!, it would somehow drive away the seriousness for viewing their profile where as if you have those names in a social networking site then probably it would look cool so that might even work there. Here my perspective was considering the visitors to the site and based on the purpose of the site.
I'm not offended, just wanted to see some reasoning. You make some valid points actually, but they're mostly related to display usernames, not users *actual* names.
Oh yes. My perspective was with what and how it is to be displayed. However I do have a doubt, if we give the user the freedom of infinite sized names (for the system) how will the database be designed for those fields since there it will be required to set some limit for the field and if not set then based on the datatype there will be a default limit that the system will set. So how will we handle this ?