Why are usernames so restrictive?


(Valts) #1

Since this is the attempt to create the next generation of Internet discussions, why does it still hold to the ages old outdated convention of having usernames that have only letters and numbers? Personally, my username is “vilx-” everywhere and I’m annoyed everytime a website forces me to remove the minus sign or (even worse) append something else to it, like “vilx4”, which is plain ugly and pointless.

I understand that there are abusive people who will make usernames that are hard for others to use. Like a username that consists of a single space or something like that. But there are good Unicode libraries today that allow for normalization of strings and identifying of character classes.

I suggest that the authors use such a library and only forbid unprintable characters as well as usernames consisting completely of whitespace (which can be eliminated by whitespace trimming in the first place).

That, or simply do the same thing as with all objectionable content - make a “flag” button for usernames. That might be needed anyway, because even with the strictest rules nothing forbids one to create a username “Fuk0ffB1tch”.


(Gweebz) #2

I like the restrictions on usernames; it helps prevent people from using usernames which will be hard to use in “@” mentions. I am just glad they separated username from display name. When web applications make me use my username as my display name, that annoys me.


(Valts) #3

The @ mention problem is already solved elegantly - just type @ and you get a list of potential people. And most people will have nice, typeable usernames anyway, so even if you don’t like the popup, you’ll rarely need to use it.


(Adam Davis) #4

There are many places the username is used, including in URLs, such as 301 Moved Permanently so the rules are to prevent issues with this usage.

You might be able to make a case for less restrictive usernames, but “restrictions are outdated” probably isn’t going to get you far.

Consider focusing on how less restrictive usernames improves the user experience, usability, and encourages good discussion.


(Erik Heemskerk) #5

For one, it would be hard if user names were allowed to contain characters used in Markdown syntax, such as *, [, ], and additionally, characters with special functions in Discourse, such as @.

If someone had a user name ‘-------’ (which you think is legal), it would look awkward if someone mentioned him. Yes, you could create complex requirements which are easy to validate, such as this:

  1. Only alphanumerics, and printable symbols, but not (insert Markdown syntax symbols);
  2. More than one consecutive non-alphanumeric is not allowed;
  3. Cannot start with a non-alphanumeric;

Try explaining this to a non-power user. I surmise that’s why Discourse tries to keep it simple.


(Valts) #6

Using in URL’s - yes, that’s a pretty valid technical reason. Though I’m thinking that there are pretty good solutions for “slugging” the username already, plus you can always include an ID in the URL. It could be optional, but present in all links on the site.

As for improving user experience and usability - I rather feel the opposite way.


(Valts) #7

It would look awkward? Yes. Especially if you need to escape something. But, again - that’s why we have the dropdown, plus such usernames would be a minority.


(Erik Heemskerk) #8

Exactly. It would require a lot of testing and potentially a lot of work to enable this scenario, only a small amount of users would benefit from it.

That’s a pretty bad argument. Also consider other users’ experience might be worse of when one user has an untypable user name.

‘Our user experience is generally awesome, except when that one user with the untypable user name is involved. Then, it is hell to work with the system.’


(Valts) #9

[quote=“korben, post:8, topic:1315”]Exactly. It would require a lot of testing and potentially a lot of work to enable this scenario, only a small amount of users would benefit from it.[/quote]I think it could be completed in one afternoon. Unless you want to write your own Unicode library, of course, but then you’ve got bigger problems. Also, I think that a lot of users would use typeable non-alphanumeric characters like the aforementioned minus sign or an apostrophe (another popular choice) etc. I think that untypeable usernames would be a minority.

[quote=“korben, post:8, topic:1315”]‘Our user experience is generally awesome, except when that one user with the untypable user name is involved. Then, it is hell to work with the system.’[/quote]Using the dropdown is hardly hell. In fact, I would expect that most people do it anyway (with keyboard or otherwise) to avoid spelling mistakes when typing usernames (including the normal usernames).


(Erik Heemskerk) #10

An afternoon is 4 hours. Imagine how many other issues can be solved in an afternoon? Also, I think you’re grossly underestimating how many testing is required to properly implement it.

Perhaps, but from a software engineering standpoint it’s better to whitelist than to blacklist. In other words, it’s better to define what characters are allowed than what characters are not allowed.

Consequentially, the developers would have to manually add every non-alphanumeric character that users would desire in their user name. For every character, one or more tests would have to be written to ensure nothing is broken by supporting that character. Then some user starts complaining why it’s possible to use a apostrophe, but not a backtick (`). Wouldn’t be fair if it weren’t included, would it? Cue additional development and testing hours.

I wouldn’t be surprised if a lot of users in the target audience (which is, I guess, regular consumers), don’t look at their screens when they type, so they wouldn’t notice. Also, most users type a few characters to narrow down the list. If a user has a non-alphanumeric character in the first few characters of his, that would make it difficult.


(Doug Moore) #11

The problem with “slugging” solutions is that they may cause collisions between usernames. Generally slugging involves removing characters that are… less important. So “vilx-” and “vilx’” become the same URL. As for using ID’s, if you want to discuss outdated techniques some more…


(Valts) #12

Aren’t you overengineering this a little bit? There is such a thing as too much Process.

And I do believe that this is a case for blacklisting rather than whitelisting. There aren’t that many Unicode character classes that an exhaustive blacklist of them would be enormous. Then again, whitelisting could work too, for the same reason.

Anyways, you only really need to forbid unprintable/unallocated/control characters as well as badly formed Unicode strings. Those can really mess up the page. Everything else will just be printed as a character. It might show up as something untypeable or just a little square, but it will show up, and it will be possible to copy-paste it at the least.

Not to mention that the popup shows by default the people in the current conversation, and the more recent ones (the ones you are most likely to mention) are closer.

Btw - that brings up another thought - what about Chinese/Japanese/Korean/Russian people? Do you mean to say that they won’t be able to make usernames in their native language?

Of course, this is open-source software and all that, but that’s an argument to stop any feature request.


(Valts) #13

There are plenty of URLs on this site that use IDs. Like topic and post IDs. Why should usernames be special? And - I don’t consider it outdated.


(Gweebz) #14

I agree, IDs in URL doesn’t seem like an outdated strategy… especially considering users are allowed to change their usernames. Using IDs seems like the only way to make a permanent link to a user’s profile.


(Erik Heemskerk) #15

Now that would be a simple case to fix: simply use a Unicode character class.

In terms of over-engineering; you have recognized that allowing non-alphanumeric characters would require a user to be able to flag another user’s user name. Now that would require a substantial amount of work. Not only in development, but also in discussion, considering how complicated the flagging process is.


(Erik Heemskerk) #16

It seems easier to simply notify the user that permalinks to his or her profile will stop working when the user changes his or her user name.


(Gweebz) #17

I would argue that those would not be considered permalinks and not supporting permalinks would be a real travesty. I like to link to my online profiles often.


(Erik Heemskerk) #18

Then don’t change your user name. This might seem a Jobsian reaction, but it sounds to me as the same kind of requirement as ‘When I change the name of a file on my computer, a path that previously worked no longer does’. Should we be using B-tree node references instead of paths?


(Mike Weller) #19

What about installations of discourse aimed at asian audiences? Will they also be restricted to the roman alphabet?

Count this as a vote for blacklisting instead of whitelisting.


(Valts) #20

[quote=“korben, post:15, topic:1315”]In terms of over-engineering; you have recognized that allowing non-alphanumeric characters would require a user to be able to flag another user’s user name. Now that would require a substantial amount of work.[/quote]It will be needed anyway. Even with just alphanumerics you can make infinite varieties of offensive usernames. Non-alphanumerics hardly make it any worse. In fact, trolls who want offensive usernames probably won’t bother with non-alphanumerics, because they want readable usernames.