1

I've seen quite a few security centric sites enforce this policy:

Your username can only be changed once

My question is: Is this done from a security standpoint? If yes, what is the logic behind it? My initial impression is that once you sign up your original username (and any other username you choose in the future) is linked to you indefinitely, even after you change it as allowing someone else to claim your (old) username could introduce some kind of security vulnerabilities. If a site allowed unlimited changes this could potentially reduce the pool of available usernames by a significant margin.

Is my analysis correct? If yes, what are some examples of security vulnerabilities created by allowing multiple changes?

Or am I barking up the wrong tree altogether?

P.S

I did read this discussion but the question revolves around whether username changes should be allowed at all. I'm specifically asking why some sites allow you to change your username but limit it to once over the lifetime of the account.

Bradford Griggs
  • 141
  • 4

1 Answers1

1

Searching for this specific phrase I only find sites which limit how often the name can be changed within a specific time frame, i.e. per year, per 30 days etc. Reasons for this limitation are not given from what I found and it might even vary from site to site.

But often these are community sites where the username is recognizable by others, i.e. there is some good or bad experience associated with a name and maybe even some trust. Cultivating such associations is what makes up a community, i.e. they are clearly in the interest of the site.

Changing a username though infers with such associations: in the simplest case it breaks associations but in the worst case it takes over associations by hijacking a username used before by somebody else. The easiest way to keep associations sufficiently stable is to limit how often a username can be changed and also make sure that one cannot reuse a name previously used by somebody else.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • Thanks for your insight! Indeed, that would make sense if the limit were based on a specific time frame. However, the sites I'm thinking of allow one change over the lifetime of account. Additionally, it is not a community based site where the things you mentioned would matter very much. My guess is that from a purely security standpoint, you don't see a reason to limit username changes? Is that correct? – Bradford Griggs Aug 30 '21 at 22:28
  • I've never seen a site where you can change it only once. Can you give an example of where you've seen this? – schroeder Aug 30 '21 at 22:41
  • @BradfordGriggs: *"Additionally, it is not a community based site where the things you mentioned would matter very much. ... the sites I'm thinking of allow one change over the lifetime of account"* - unfortunately the information snippets you provide are not that useful. You are basically providing riddles which only describe what a site is not and let us guess what the site and its purpose actually is. How can we target what you have in mind if you don't tell us what you have in mind? – Steffen Ullrich Aug 31 '21 at 04:16