Minimum lengths for usernames. Wtf?!

I get bitten all the time with minimum username length requirements. The most common number that I bump up against is 6 characters, probably because my usual username is 5 characters so I wouldn’t hear about requirements of 4 or 5, and it’s obvious to everyone that requiring 7 or 8 characters is silly. But why have a minimum length in the first place?

Help me out here—I want to believe that when Zoho tells me that I need to use 6 characters, it’s for some reason other than “the developer who wrote that validation code picked 6 arbitrarily”. But I can’t for the life of me imagine what the other, better reason might be.

Even worse than Zoho is Google’s Picasa. Before successfully choosing a username there, I managed to uncover 3 different error messages, two of which are completely useless:

  1. Please enter a username between 6 and 30 characters.
  2. Please enter a username without invalid charcters.
  3. The username ‘xxxxx_’ is not available.

Okay, for message number 1, I can understand what to do in response to the message, but it frustrates me nonetheless. As far as I can tell, the only “charcter” (their misspelling, not mine) that triggers message 2 is ‘@’. Any other character that’s not a letter or a number results in message 3 (which was caused by the _ in this case).

I know that neither the Zoho developers nor the Picasa develoeprs are likely to read my meager blog rant. But for those of you out there who do web development today or in the future, please keep in mind that there are some of us with well-established usernames that are only 5 characters (or 4 or 3 or shorter, for that matter) that would love to not be subjected to capricious and silly rules when using your site. If there are technical reasons for arbitrary-seeming restrictions, then fine, but in most cases there shouldn’t be.

10 Comments

  1. R.Rajkumar
    Posted November 20, 2008 at 11:02 pm | Permalink

    *I want to believe that when Zoho tells me that I need to use 6 characters, it’s for some reason other than “the developer who wrote that validation code picked 6 arbitrarily”. But I can’t for the life of me imagine what the other, better reason might be.*

    I do have a 4 letter login name at Zoho; but I had signed up a long time ago – not sure when this came into effect.

    *I know that neither the Zoho developers nor the Picasa eveloeprs are likely to read my meager blog rant.*

    Zoho developers do read blogs about Zoho and I am sure they will find you soon. But, I am not sure if they would come up with convincing reason, for the “6 to 30″ limit.

  2. Posted November 21, 2008 at 12:00 am | Permalink

    Scott : It’s been found that short user names receive significantly more spam since they’re easy to automatically generate. So, the longer your user name & more uncommon it is, the better your chances against getting hit by spam.

    And yeah, at Zoho, we try our best to listen and respond to our users :)

  3. Posted November 21, 2008 at 12:12 am | Permalink

    Aravind, I totally buy your spam claim, but is forcing me to create a username that I won’t remember the best way to defend me from spam?

  4. Posted November 21, 2008 at 12:27 am | Permalink

    Hmm, it’s a compromise. I can equate this with password security rules. For example, my office and my bank both have this rule – that you have to choose a password with capital letters and numbers in them and should be of minimum 8 characters. And the password has to be changed every 14 days. To top this, the system won’t allow you to choose from the past 3 passwords you’ve used.

    Google’s take on this :
    http://mail.google.com/support/bin/answer.py?answer=7993&topic=12777

  5. Posted November 21, 2008 at 12:53 am | Permalink

    Sure–but the cost of having my banking password guessed is much higher than the cost of getting a few more spams because someone guessed my username.

    I guess I’m saying even now that I understand the downside here, it seems better to me to get more spam than to have to choose a less desirable username that I’m likely to forget all the time. Especially when you consider that I don’t care at all about my Zoho inbox. (I didn’t even realize I had one.)

  6. Roy Leban
    Posted November 21, 2008 at 2:06 pm | Permalink

    Let’s assume the spam issue is a valid point. Given that, I think it’s better to warn users than to block them.

    The general result of policies like this is to hurt users, not to help them. Scott’s read my post on password policies already, but here’s a link for the rest of you:

    http://www.thisuser.com/2008/07/stupid-password-policies.html

  7. Yeyui
    Posted January 12, 2010 at 10:17 am | Permalink

    Glad to read your rant. Now I don’t have to repeat it. I have used the same username since my first days on the internet 14 or so years ago. Until the last couple years, Yeyui consistently and uniquely pointed to me. (There are now up to two people in Asia using the same handle) It always irks me when some site or service (today it is Skype) tells me my name isn’t good (meaning long) enough for them.

  8. Matt
    Posted April 25, 2012 at 1:59 pm | Permalink

    I’m glad to see this irks someone else – and to think I thought I could escape the clutches of gmail! Sadly changing my email address is way more hassle than I can cope with.

  9. Posted November 23, 2012 at 11:23 pm | Permalink

    I agree that having a shorter email/handle/login is desirable for us users, but you also have to realize that spam doesn’t only affect us users, but also the service providers themselves. So GMail, Zoho, et al, save money by not having to handle the spam sent to short-named accounts.

  10. Sam
    Posted January 4, 2013 at 1:54 pm | Permalink

    I finally googled “Why put character minimums for user names” and got this blog post. Amen to your compaint, and it’s not just Zoho – it’s plenty of other places where spam isn’t a concern. My student loan management website requires 8 characters minimum for the user name.

    This has nothing to do with password strength. The username is identify you, not verify that ID (that’s the passwords job). So let my ID be anything I want, so long as its unique. Or at the very least, make your parameters extreme, so people who have been using the same 7 char username since the dawn of the internet don’t have to start remembering 3-4 usernames along with all those passwords.

    SOOOO ANNOYING.

Post a Comment

Your email is never shared. Required fields are marked *

*
*