
Ask HN: Why do usernames have to be unique? - guard0g
Pet peeve: every time I register for a new service&#x2F;website, it&#x27;s a chore to find a unique username that hasn&#x27;t been previously used. It&#x27;s 2018 - why haven&#x27;t we evolved from the need for unique usernames?
======
badrabbit
I Agree with OP.

From an authentication point of view(Crypto and twiiter like
'verification'),some system or authority needs to verify your identity. I
think a Fully Qualified User Identity (much like fqdn) where your username is
only part of your FQUI would solve a lot of issues.

For example:

Alice.blue.hn.de Alice.orange.hn.twitter.us

The two FQUI represent different people.

Alice is in the 'blue' group,verified by hn which used the 'de' identity
authority.

Alice is in the 'orange' group,verified by hn using twitter. Twitter used
identity authority 'us'.

<[hierarchial user name]>.<user group>.<[hierarchial identity verifier
domains]>.<identity authority>

This isn't a new idea at all,there just does not seem to be a one size fits
all consensus on what system to use. Maybe everyone is wary because the DNS
hierarchial system isn't doing too well. Unlike domain names,a person is
unique,you can't register arbitrary identities under the same authority(at
least not without committing fraud)

~~~
dangerface
I don't get it how is this different from the URI user field like:

username@hostname.tld

~~~
badrabbit
You have user groups which allows for duplicate usernames. The hierarchy also
imposes a top level identity authority. In your example,'tld' is responsible
for hostname,not for username. In my example 'de' is responsible for verifying
the user with 'hn' merely verifying against 'de'. Your example is user@fqdn.
My idea is <fqui> ,which authoritatively qualifies a user not a user and a
domain

------
dangerface
From a UI point a name is a way for humans to identify a thing. So a username
is just a way to identify a user, if multiple users have the same username you
cant identify which one.

Starcraft allows people to have the same username, tell your mate your
username and ask him to add you, he wont be able to. You need to go through
settings and find your unique user pin which you cant remember, then give that
too your mate, they need both.

Use email and a screen name, your mate already knows your username and can add
you, you can call yourself whatever you want.

------
krapp
The purpose of a username is to identify a user, publicly and to the
application with an account and password. If usernames weren't unique, it
might be impossible to distinguish between accounts with the same username,
much less the same password. Forcing passwords to be unique is unacceptable as
every failed attempt to register an account with a password that exists will
tell you _someone is using that password_ (to say nothing of the overhead of
having to check that.) But being told a username exists doesn't expose the
same security risk.

------
Eridrus
I think Facebook is an example of a service that has - you use an email &
password to log in, but your name is what is displayed everywhere.

But Facebook has made other trade-offs that people might not always agree
with: it requires people to use their "real name", and while this policy is
sporadically enforced, they probably have checks for people cycling through
names, and they also focus on communicating with your close social circle
where there is less incentive/opportunity to impersonate people.

Twitter has something in between where you can have a handle, which must be
unique, as well as a display name, which does not. Without a unique handle
@handle isn't a thing that works. You could do something like Facebook and
have someone type @<Display Name> and provide some drop down for
disambiguating, but given the wide open nature of Twitter, this seems more
abuse-prone.

Identity is still hard to manage online, and I don't think we're really ever
going to solve the problem in a way that makes everyone happy.

------
bufferoverflow
Because how will users know whether some comment was written by guard0g or by
guard0g?

~~~
guard0g
Someone can easily spoof the name guard0g. We don't require everyone in the
world to have a different name, but instead use context to disambiguate
identities. Can't we do that online?

------
metaloha
I've written a login before that allowed non-unique login names that were
solely differentiated by password. Given the relatively low volume of visitors
to the site and the minimum password requirements (8 characters, at least one
cap and one punctuation), we figured the chance of collisions was minimal.

------
treve
Most modern services don't anymore though. Most of them use an email address.

The ones that don't typically make a publicly identifyable string for you,
like a url on GitHub or a handle on Twitter.

------
m1573rp34130dy
there is far too much hackability Re spoofed user names, a machine can tell if
a name is reused but people often cant. ...the problem with filtering name and
passwd reuse also bring hackability into play, suppose guard0g is on a secure
system and the user names are not supposed to be public, we now know that
guard0g at least was in use at one time if not currently, this info can be
used in crafting a soc.eng. attack...

