A blacklist of usernames that should not be allowed in an application.
Main reasons is to avoid confusion and mistakes by other users if they interact with a user using a blacklisted username. This can be by accident, but also as more serious phishing attempts.
Json files for each language. Defaults to plain English (en).
Many websites have user generated content under a sub folder by their username. Eg
john_smith’s stuff can be under
http://www.example.com/john_smith/mymusic. This seems harmless.
However if the username was
http://www.example.com/support/change_password.html is not ok.
Other applications may use usernames as a subdomain.
john_smith.example.com is fine. A username of
secure could potentially expose
secure.example.com which seems ripe for nefarious behaviour, not to mention
www as username or subdomain of
Also if emails sent/received by the application perhaps uses the username as an smtp alias then
email@example.com is harmless. But someone at
firstname.lastname@example.org could potently social engineer a SSL certificate change etc.
https://www.ietf.org/rfc/rfc2142.txt provides a list of mandatory and common optional email aliases. It is a good idea to blacklist most of these as a username. https://webmasters.stackexchange.com/a/105020 is more elaborate.
Suggested rules in addition to blacklist.
Allowing UTF-8 and similar character sets for usernames can be dangerous. It is user friendly to support UTF-8 especially with an international customer base. But it is a potential minefield with random characters that looks like ASCII a-z. In general ASCII only is recommended even if it restricts some
Gøran, etc. (See https://labs.spotify.com/2013/06/18/creative-usernames/)
In addition to UTF-8 character set be aware of confusion and phishing attempts with usernames that sound genuine in other languages. Even when language used for the application is english only. Hence the need for multiple language json files in this project.
Also some usernames can be made to look genuine by inserting symbols e.g. underscores or dashes. One potential rule is to only allow a few special characters, perhaps only
_. And then also only in the middle of the username and not at the beginning or end.
Some usernames can be made to look genuine with clever prefixes. A more elaborate check could restrict if username is prefixed by a black listed username. So no
admin-web would be allowed if
admin was black listed.
Convert all usernames to lowercase.
adMin is the same username.
Probably makes sense to have a minimum length username. 1, 2 or even 3 characters gets pretty vague. And perhaps a maximum length, though be generous, e.g. 128 characters.
If not checking for prefixes, e.g. in English adding an
admin may make
admins look genuine.
Please test if your rules are too restrictive and preventing too many users in signing up.
Phishers are devious and this blacklist is brittle and short. But it is a start.
Please send pull requests to https://github.com/flurdy/bad_usernames/pulls. Especially for other languages.