Should usernames be case sensitive or insensitive?
I just got bitten by this question on a site recently. The usernames were case sensitive; users were trying to log in; they kept getting rejected by the system; and support people who tried with the users’ own information were getting in just fine.
I haven’t found a real concensus online. CVS appears to have case sensitive usernames. Vonage, on the other hand, does not. Hotsyncing a Palm seems to rely on case sensitive usernames. Yachting and Boating World is also case sensitive. And, .htaccess directory protection on Unix systems is case sensitive. However, GMail does not employ case sensitive usernames – probably largely because your GMail username is an email address, and email addresses are case insensitive by nature.
So what’s the right way to do it?
There’s no question that case sensitive usernames are more secure than case insensitive. Plus, you’re going to be able to offer more usernames for your clients (goodgirl and goodGirl, plus all the possible variations) which is good for a well-trafficked website. Ever tried getting the username you wanted for a Yahoo! or GMail account?
But there’s also no question in my mind that it’s much more user-UNfriendly. People don’t always remember the exact case they used when they first logged in. Worse, this can be a really tough problem to diagnose. Support staff can be taking the username out of a database, ensuring that they have exactly what the website wants, and everything works fine … and then users try their fUnky cAse uSerName, and it doesn’t. Unless support asks the right questions, the problem is inexplicable.
(And of course you have the higher-level problem that users have called support in the first place – in the perfect world, with a great web app, they should never need to.)
On the other hand, for applications where extremely high security is necessary, implementing case-sensitive usernames (as well as passwords) is probably something you’re willing to endure some usability pain for. Administration interfaces for e-commerce sites, content management areas etc., should probably use case-sensitive usernames.
The biggest problem is when you mix cases, or, more accurately, forget exactly what case you should be checking for. In fact, that’s similar to the problem that I recently had.
The moral of the story for me? Case insensitive, all the way, for all websites from now on … unless I have a really, really, really good reason to do it otherwise. That will save a lot of support headaches.