Why should usernames be unchangable?

Question

I read everywhere (and see in practice) that usernames should not be changeable. When I ask why, \'security\' is given as a reason.

I\'ve been searching for a definitive

Answer 1

Keeping a consistent username is entirely irrelevant if you do two things: have a separate unchangable userid, and properly normalize your database. The first is important because it means you're not using the username as a database key (or for any other permissions or anything like that, thus dodging many of the issues other posters have brought up). The second is important because it prevents the fraud-like attacks such as Jason brought up, because when you change your username, it will change on all the old posts and any other place it is displayed.

I see no reason why it matters if you have a separate display name or not, the username can still be changeable without any security problems. You'll likely want to keep a record of past usernames so that if someone emails you about a lost/hacked account, you can find it, as mentioned by jumpdart. But surely, you're already tracking past email addresses associated with the account for the same reason, right? :) I say make them changeable. The extra effort is negligible, and there are many legit uses.