Why is there a minimum username length?

Frankly, I find such limits quite silly; any claim that a minimum length on the username has any security merit is ridiculous. Usernames are supposed to be public, they're not secret information (in the vast majority of cases). This is even more silly in systems where the usernames are used as communication handles and you're encouraged to share yours.

Some service providers believe that longer usernames are better to combat spam targeting auto-generated email addresses. Here's Google's take on this one

We've discovered that short usernames at popular domains receive significantly more spam since they're easy to automatically generate. Gmail's requirement that all usernames be at least six characters in length is meant to keep spam out of your inbox.


I agree that having a longer or shorter username should not be a point for making your account more or less secure. That's what the password or any other proof of identity should be doing. The username is just a way of addressing you and it's totally public.

The only requirement is that it be unambiguous - you can't have two people using the same username.

I will say that there's probably a value to starting the number of required characters at some minimum limit as a way of resolving contention over very short, very easy to remember usernames. Forcing everyone to go with at least 6 characters is a good way to keep users trying to set up their usernames from thrashing through all possible < 6 character options only to find that all of the have been taken. Cutting down the frustrated users is a big deal on a large scale system like Google - which is also why you see suggested usernames to help you try to find something that's available that you can live with.

I'd believe them when they say that spam is an issue on short usernames - the smaller the address space, the easier it is to cover, and I would not be surprised to find that spammers can cover the < 6 character username space pretty efficiently. I'm not sure I believe the "it's for your own good" line - I think it's for Google's own good. If they can simply deny ALL email that comes in for a username that is less than 6 characters, that's a nice chunk of traffic to be able to flat out deny without further matching needed. The more clever your spam filters, the more resources they can take to execute, so being able to flat out deny any chunk of your username space has got to be a win.

I'd agree that in a small userbase - like a private domain or a small company - it's probably less valuable as you have neither the large size user base nor the huge level of traffic/storage requirements of a social networking site.


Ok, first things first..

As we know from basic security theory the most common way to crack a password is by using all possible entries (brute force). A password's strength is computed by the complexity of the characters it contains. So supposing that all the alphanumeric are 62, the complexity of a brute force attack for a 6-length password(without special characters), would be 62^6= 56,800,235,584 possible combinations.

Now for a mail-site , like gmail or hotmail, creating a mail with less than 6 characters would be very possible to be generated by a spam mail algorithm. So to avoid getting spammed, email-sites prompt you to use more than 5 characters.

Finally, my guess, on a common site a user could use 5 or less characters long username, but on a site with many users, that would be extremely difficult to find a username that doesn't already exist.