• Martin Thoma
  • Home
  • Categories
  • Tags
  • Archives
  • Support me

Usernames

Contents

  • Username vs Display name
  • Display name restrictions
  • What others do

Usernames are used for identification in two places in web services: To let people log in and to allow people recognizing each other. In this article I want to share some ideas on usernames.

Username vs Display name

When I look into my Stackoverflow profile, they have something called "display name":

Stackoverflow Profile edit page
Stackoverflow Profile edit page

I like this a lot. I communicates clearly that it is something seen by others.

The next question that popped to my mind was if we need usernames at all. Wouldn't it be simpler to just login with your password?

Two big problems with that idea:

  • People might choose the same passwords
  • Systems could allow multiple accounts and you might want to have autocompletion

This means we definitely need a username for logging in.

Display name restrictions

Is it a good idea to let people completely freely choose their username from any sequence of Unicode characters?

The problems I see with that:

  • Design: People might choose names that break something. It's hard to have a nice design with a component that could grow arbitrarily.
  • A minimum length might be desirable to make sure one can click on the name (at least one non-whitespace character)
  • Identity theft: Think of the following usernames
    • Obama vs 0bama vs Obamа: Char 1072
    • Messing around with whitespace in the beginning / end of a name
    • Messing around with control characters
    • See Unicode Confusables
  • Script injection: By allowing < and > an attacker could choose a username which loads HTML.
  • Interactions: User interact. For example, in discussions they might naturally write @martin to mention the user martin. This means an @ character should be excluded.
  • Markdown: Other caracters like #[]=*~ are also be a bad choice as they are part of Markdown.
  • Math: $ is a bad choice as it triggers MathJax / LaTeX.
  • Natural seperators: Some characters are natural seperators in English, German and French: Whitespace, Comma ,, Semi-colon ;, dot ., double point
  • Offensive Language: Actually, the main problem I see here is when developers try to be smart and have a false positive - seeing something as offensive which is just the name of a person.

Where you might want freedom:

  • Multiple charactersets for multi-country support (Kyrillic, Arabic, Chinese, ...)

What others do

Service Min Max Charset Strip Other
Twitter (Display Name) 1 50 Unicode yes
Stack Overflow (Display Name) 3 30 letters, digits, spaces, apostrophes, hyphens yes must start with a letter or digit

Published

Aug 3, 2018
by Martin Thoma

Category

The Web

Tags

  • Web Services 3

Contact

  • Martin Thoma - A blog about Code, the Web and Cyberculture
  • E-mail subscription
  • RSS-Feed
  • Privacy/Datenschutzerklärung
  • Impressum
  • Powered by Pelican. Theme: Elegant by Talha Mansoor