Here's the thing, almost certainly, re-using a username is something that you never want to have happen. Unless there's literally 0 security or harassment opportunity with your application, letting someone else occupy someone's old name is going to result in problems.
I agree re-use is problematic by default, but banning it outright blocks a few scenarios where it could be useful.
Undoing squatting: someone already used WellKnownName or TradeMark and did little useful with it. Not allowing reuse ever makes squatting a more damaging attack :-(
You could make an exception for forced takeovers — by court order e.g. for trademarks, or by convincing the company controlling the namespace. All forms of forced takeover can be controversial though (cf. kik npm story)...
What about amicable resolutions, where both parties agree to transfer the name? Do they have to go through customer support?
What about paying off the squatter? Does allowing reuse enable squatting for ransom, and would blocking it prevent it?
What about a person who held a cool name for their own use, and someone really wants to pay a lot for it?
Role accounts: Alice has a "safety@example.com" role, moves on and is handing that account over to Bob. She also gives him control of 3 bot accounts.
Many services ToS expect 1:1 account:human correspondence but that rarely matches all ways humans want to use them...
(Of course users do circumvent such things by just giving Bob the passwords to her actual account. But that's bad, and with federated logins increasingly risky.)
Technical takeaway: don't bake the assumption re-use is never possible into the system.
Whenever you have handles that are not a number/hash but people actually care about, you'll have policy decisions to make sooner or later.
Generally, this is an interesting area where technology tends to restrict imformal flexibilities humans had... "I'm sorry Dave, I can't let you do that" kind of thing.
I like the route Discord and Blizzard have taken with regard to usernames - you can pick whatever you want, and the user entered part changeable and isn't unique, and then they tack on a four (or so) digit numeric identifier to the name that makes it unique (I suspect under the hood, that identifier is related to the actual primary key in some way).
The UI largely allows users to use the user created name, and anywhere the full identifier is used, they make it as seamless as possible and avoid requiring the user to know it.
I agree re-use is problematic by default, but banning it outright blocks a few scenarios where it could be useful.
Undoing squatting: someone already used WellKnownName or TradeMark and did little useful with it. Not allowing reuse ever makes squatting a more damaging attack :-(
You could make an exception for forced takeovers — by court order e.g. for trademarks, or by convincing the company controlling the namespace. All forms of forced takeover can be controversial though (cf.
kiknpm story)...What about amicable resolutions, where both parties agree to transfer the name? Do they have to go through customer support?
What about paying off the squatter? Does allowing reuse enable squatting for ransom, and would blocking it prevent it?
What about a person who held a cool name for their own use, and someone really wants to pay a lot for it?
Role accounts: Alice has a "safety@example.com" role, moves on and is handing that account over to Bob. She also gives him control of 3 bot accounts.
Many services ToS expect 1:1 account:human correspondence but that rarely matches all ways humans want to use them...
(Of course users do circumvent such things by just giving Bob the passwords to her actual account. But that's bad, and with federated logins increasingly risky.)
Technical takeaway: don't bake the assumption re-use is never possible into the system.
Whenever you have handles that are not a number/hash but people actually care about, you'll have policy decisions to make sooner or later.
Generally, this is an interesting area where technology tends to restrict imformal flexibilities humans had... "I'm sorry Dave, I can't let you do that" kind of thing.
I like the route Discord and Blizzard have taken with regard to usernames - you can pick whatever you want, and the user entered part changeable and isn't unique, and then they tack on a four (or so) digit numeric identifier to the name that makes it unique (I suspect under the hood, that identifier is related to the actual primary key in some way).
The UI largely allows users to use the user created name, and anywhere the full identifier is used, they make it as seamless as possible and avoid requiring the user to know it.
I agree. I didn't like this system when I first saw it, but it's really growing on me