Is it safe for the site that reducing the minimum username length as 2

Do you think that shorter usernames will affect future security issues for the site, if I change the min username length to 2 instead of the original setting 3.

No it is not safe as autocomplete 2 character name searches will cripple your database.

If you wish to break your site and your database, go for it.

6 Likes

So do you think whether the username is longer and more secure. And I am thinking to change the minimum username length as 4. Is it better? Thank you.

I don’t think codinghorror is primarily referring to your site security. Instead he is referring to site performance being compromised.

You will be encouraging users to choose the minimum permissible set of usernames. A lot of people will use their 2 or 3 character initials instead of a more meaningful name.

Reducing variability concentrates more users on the final branch of the search tree increasing processing time for autocomplete.

You can see how entropy and the scope for variability reduce by comparing namespaces at different username lengths. If every unique minimum-length (A-Z, 0-9) username were to be used then there are only (26+10)^2 = 1,296 two character usernames. Whereas there would be (26+10)^5 = 60,466,176 five character usernames.

So one impact of lower entropy is likely to be longer autocomplete lists where all options are not visible to the user, e.g the username UU could be 20th in the list.

Of course there are also security issues around a more cramped namespace e.g across systems it makes structures more guessable and profiling simpler e.g. https://freehaven.net/anonbib/papers/pets2011/p1-perito.pdf

2 Likes

If a site is in Chinese and usernames are primarily Chinese then setting to 2 can work cause the number of possible single letters is enormous

6 Likes

Yes, 75,000 CJK Unicode characters is a totally different proposition.

I guessed zgzud was more likely to be Slavic than Chinese transliteration. You may be right about that too.

2 Likes

Thank you for your reply. I am a Chinese. And my site is a Chinese site. My default language for the site is Chinese(TW). But some user name use English letter to register a username. Like “zgzud”, it is just a username, it is not my Chinese name, and also not a Chinese name.

I still quite confusing. So which way you quite recommend? "Change setting as 2 is OK“, or “Change setting as 4 or 5 is better”. Thank you!

2 Likes

Thank you for your reply. So do you think is it ok to change the mini username length setting as 2 for a Chinese website. But I think some users still will register as a English letter name.

Actually, the aspect I am most worried about is hacking. If my min username length is set to 2, will this have a bad impact on the site, including performance and security.

Thank you!

Unless your site is closed to the outside world usernames are already visible in profiles, posts and /users.