Why should usernames be unchangable?

Question

I read everywhere (and see in practice) that usernames should not be changeable. When I ask why, \'security\' is given as a reason.

I\'ve been searching for a definitive

Answer 1

There are a number of reasons from a security aspect that you may not wish to allow users to change their names. However, as an all-out "NEVER do this" - I don't necessarily agree. But, allowing name changes creates quite a bit of extra work. If you are going to allow users to change their identities, you have to be very careful due to the reasons below.

1. Maintaining a consistent user identity. Let's say you run a message board and Troll_1 is on everybody's block list. If Troll_1 is able to change his or her name, then all those user filters are no good and you have some unhappy users.
2. Along with answer number 1, you also want to maintain consistency across your underlying systems. If users are allowed to change names, you have to make sure you check that you either, update every system that that user is using so that he or she does not lose (or gain) permissions into areas they are (or are not) allowed. Additionally, if a user changes his or her name and a new user wishes to use that name, you may, inadvertently, allow that new user access to the old user's information/data/whatever if you have not done due diligence in updating your systems.
3. Depending on what type of system you have, allowing someone to change their user name can make your system prone to abuse from a fraud standpoint. You could have someone switching their name back and forth pretending to be two different people in an attempt to scam someone. An unaware victim may easily fall for it. (Sounds stupid, I know, but I have seen people come up with crazier crap.)

Anyway, as I said - I don't believe it's necessarily a bad thing to allow users to change their names. However, it does create quite a bit more work for you, the developer. User names now can't be unique IDs in a database and user names now don't necessarily relate to someone (because they can be changed later), so you have to have a different system in place for expressing "uniqueness."

Answer 2

If you don't allow people to change their usernames then some people are just going to create new accounts. I don't see any security risk in this, and many apps including SO allow you to change your name. If you change the name, keep the userid (primary key) the same so all of the data links up properly.

The only danger I see is if you can change your name to an account that already exists like 'admin'.

Answer 3

Keeping a consistent username is entirely irrelevant if you do two things: have a separate unchangable userid, and properly normalize your database. The first is important because it means you're not using the username as a database key (or for any other permissions or anything like that, thus dodging many of the issues other posters have brought up). The second is important because it prevents the fraud-like attacks such as Jason brought up, because when you change your username, it will change on all the old posts and any other place it is displayed.

I see no reason why it matters if you have a separate display name or not, the username can still be changeable without any security problems. You'll likely want to keep a record of past usernames so that if someone emails you about a lost/hacked account, you can find it, as mentioned by jumpdart. But surely, you're already tracking past email addresses associated with the account for the same reason, right? :) I say make them changeable. The extra effort is negligible, and there are many legit uses.

Answer 4

It's may or may not be bad for security, but if user IDs are based on user names, it may prove embarrassing. Think, for example, a user Jane Smith (married to Mr Smith) who gets divorced and wants to revert to her pre-marriage name. Every time she logs in to your system, it's reminding her of what was.

Now you could just create a new account, and move any configuration over to that new account. Or you could use something else other than the user name so that a user/login ID can be changed, but that's mapped to some unchanging other ID - like a sequence number or something similar.

You need to have some unchanging ID - at the very least so any auditing that's performed by the targetting system is complete. Creating a new user (thus providing a new user ID) on a name change breaks the audit chain and requires a person to remember that "Oh yes, she was called Jane Smith last year"...

Answer 5

I disagree with the premise. There are plenty of big name sites that let you change your username; eBay is one of the first ones that comes to mind.

Edit:

Now that I think about this, and read Rook's answer, I remembered about a place I worked at where you could not create an account with a username that already existed, but you could always change it (later, after registration) to a username that already existed. Unfortunately, at said place, permissions were based on the username... you can see where the security problem lies.

Answer 6

I'd say that not being able to change a name is BAD for security. Especially when the login is an email address. Steam is a perfect example of this... people signed up 5 years ago when they were in high school, with their finalfantazy7rocks@yahoo.com emails. Now they have to continue remembering that email, remembering both the Steam and email passwords, ensuring that no one has gotten access to the email, etc... even when they haven't used the email account in years. Basically it reduces the likelyhood that the login email is actually checked, which makes "forgotten password" emails and etc. less secure.

And you can't just make a new account if real-value items such as games are tied to that account. You're stuck with your name for life.