Why should usernames be unchangable?

Question

I read everywhere (and see in practice) that usernames should not be changeable. When I ask why, 'security' is given as a reason.

I've been searching for a definitive answer as to why changing a username is insecure, but I can't seem to find the answer.

Could any of the security experienced people here answer this question?

Note: if you do not know the answer, please refrain from speculation. I've thought of a number of reasons myself, but I don't know the actual answer, hence the question.

UPDATE:
1: By userId I meant to refer to some sort of unique identifier, be it a database record id or some other unique id. I've been told several times that changing the username is bad for security, even if the username is not the primary/unique identifier for the system itself.

2: I do allow users to change their 'public name'. This is the name that is used to identify the user to the other (non-privileged) users. for example:

userId: 1234
username: john02
public name: John Jameson
email: [email protected]

3: As pointed out by Jason and The Rook, consistency seems the only good reason. I've the feeling this 'best practice' might be a leftover from somewhere in the past when usernames where actually used within the system to uniquely identify users.

Answer 1

I disagree with the premise. There are plenty of big name sites that let you change your username; eBay is one of the first ones that comes to mind.

Edit:

Now that I think about this, and read Rook's answer, I remembered about a place I worked at where you could not create an account with a username that already existed, but you could always change it (later, after registration) to a username that already existed. Unfortunately, at said place, permissions were based on the username... you can see where the security problem lies.

Answer 2

If you don't allow people to change their usernames then some people are just going to create new accounts. I don't see any security risk in this, and many apps including SO allow you to change your name. If you change the name, keep the userid (primary key) the same so all of the data links up properly.

The only danger I see is if you can change your name to an account that already exists like 'admin'.

Answer 3

There are a number of reasons from a security aspect that you may not wish to allow users to change their names. However, as an all-out "NEVER do this" - I don't necessarily agree. But, allowing name changes creates quite a bit of extra work. If you are going to allow users to change their identities, you have to be very careful due to the reasons below.

1. Maintaining a consistent user identity. Let's say you run a message board and Troll_1 is on everybody's block list. If Troll_1 is able to change his or her name, then all those user filters are no good and you have some unhappy users.
2. Along with answer number 1, you also want to maintain consistency across your underlying systems. If users are allowed to change names, you have to make sure you check that you either, update every system that that user is using so that he or she does not lose (or gain) permissions into areas they are (or are not) allowed. Additionally, if a user changes his or her name and a new user wishes to use that name, you may, inadvertently, allow that new user access to the old user's information/data/whatever if you have not done due diligence in updating your systems.
3. Depending on what type of system you have, allowing someone to change their user name can make your system prone to abuse from a fraud standpoint. You could have someone switching their name back and forth pretending to be two different people in an attempt to scam someone. An unaware victim may easily fall for it. (Sounds stupid, I know, but I have seen people come up with crazier crap.)

Anyway, as I said - I don't believe it's necessarily a bad thing to allow users to change their names. However, it does create quite a bit more work for you, the developer. User names now can't be unique IDs in a database and user names now don't necessarily relate to someone (because they can be changed later), so you have to have a different system in place for expressing "uniqueness."

Answer 4

I'd say that not being able to change a name is BAD for security. Especially when the login is an email address. Steam is a perfect example of this... people signed up 5 years ago when they were in high school, with their [email protected] emails. Now they have to continue remembering that email, remembering both the Steam and email passwords, ensuring that no one has gotten access to the email, etc... even when they haven't used the email account in years. Basically it reduces the likelyhood that the login email is actually checked, which makes "forgotten password" emails and etc. less secure.

And you can't just make a new account if real-value items such as games are tied to that account. You're stuck with your name for life.

Answer 5

It's may or may not be bad for security, but if user IDs are based on user names, it may prove embarrassing. Think, for example, a user Jane Smith (married to Mr Smith) who gets divorced and wants to revert to her pre-marriage name. Every time she logs in to your system, it's reminding her of what was.

Now you could just create a new account, and move any configuration over to that new account. Or you could use something else other than the user name so that a user/login ID can be changed, but that's mapped to some unchanging other ID - like a sequence number or something similar.

You need to have some unchanging ID - at the very least so any auditing that's performed by the targetting system is complete. Creating a new user (thus providing a new user ID) on a name change breaks the audit chain and requires a person to remember that "Oh yes, she was called Jane Smith last year"...

Answer 6

Keeping a consistent username is entirely irrelevant if you do two things: have a separate unchangable userid, and properly normalize your database. The first is important because it means you're not using the username as a database key (or for any other permissions or anything like that, thus dodging many of the issues other posters have brought up). The second is important because it prevents the fraud-like attacks such as Jason brought up, because when you change your username, it will change on all the old posts and any other place it is displayed.

I see no reason why it matters if you have a separate display name or not, the username can still be changeable without any security problems. You'll likely want to keep a record of past usernames so that if someone emails you about a lost/hacked account, you can find it, as mentioned by jumpdart. But surely, you're already tracking past email addresses associated with the account for the same reason, right? :) I say make them changeable. The extra effort is negligible, and there are many legit uses.

Answer 7

A difficulty arises if users are allowed to switch to names that have been used in the past. If users are always identified using some identifier that will never change nor be reused, it may be possible to safely and sensibly use a username from a UI standpoint if all transactions record both the identity of the user performing the transaction and the username at the time the transaction was performed. In that case, something like a message-board post could be labeled "By: SuperCat (as Mighty Kitty)". Supercat would be the present username of the poster, and Mighty Kitty would be the username the poster had when the post was written.

Answer 8

Lots of answers. You probably have it settled by now. Here's my 2 cents:

Don't let people change their names. Not for security or anything, but because it can reflect poorly on your site. People know a user as xxx and they change to yyy, then their reputation can fade as well. Abusive users will just plague your system with constant changes.

URL indexing: If you are indexed like so - www.somewhere.com/user/awesomeGuy then awesomeGuy changes name to stupidGuy then you lose your indexed results and you get 404 errors or some such when google spiders crawl the site. You will benefit more by having username URLs than allowing people to change their usernames. These days, the ability to change your username is not big on the list of "must haves" when people sign up for a site.

Time: Your time is more important than programming useless features like this.

Just my opinion. No security risks though, unless you don't clean your input.