Why should usernames be unchangable?

Question

I read everywhere (and see in practice) that usernames should not be changeable. When I ask why, \'security\' is given as a reason.

I\'ve been searching for a definitive

Answer 1

It's may or may not be bad for security, but if user IDs are based on user names, it may prove embarrassing. Think, for example, a user Jane Smith (married to Mr Smith) who gets divorced and wants to revert to her pre-marriage name. Every time she logs in to your system, it's reminding her of what was.

Now you could just create a new account, and move any configuration over to that new account. Or you could use something else other than the user name so that a user/login ID can be changed, but that's mapped to some unchanging other ID - like a sequence number or something similar.

You need to have some unchanging ID - at the very least so any auditing that's performed by the targetting system is complete. Creating a new user (thus providing a new user ID) on a name change breaks the audit chain and requires a person to remember that "Oh yes, she was called Jane Smith last year"...