Is it good or bad practice to allow a user to change their username?
Many people have looked at the reasons not to allow name changes from both a security and a community standpoint. However, there are plenty of legitimate reasons to allow username changes, even if the username is separate from the display name, for example:
- Someone has changed their real life name or the name by which they'd prefer to be called, due to marriage, family situations, escaping stalking/harassment/etc., and so on
Even in the case of it being simply a username, having to use an old name which carries trauma can further the trauma. Also, it is quite possible for a stalker/harasser to know their target's login credentials, and being able to change both parts of the credential lowers the attack surface; further, monitoring attempts at logging in to an abandoned username allows for building a legal case against a bad agent.
- People have decided to move forward on a gender transition
Being forced to use one's "dead name," even in the context of a private username, is also very traumatic. (I can speak to personal experience on this one.)
- People have a username that they no longer feel suits them for whatever reason
This has less of an implication for internal usernames but it's still better to err on the side of kindness, in my opinion.
These are all important for user comfort, and in many cases people would likely just create a new account with the new name anyway, so might as well support it.
Avoiding social engineering certainly is important but there are approaches that help to mitigate this, such as various forms of verification (as seen on several social networks), public-key cryptography, and profile indicators ("name last changed N months ago; name changed K times"). And, since this question has been edited to be regarding internal user names and not public display names, those concerns aren't even germane to the discussion.
Also, keep in mind that many attack surfaces provided by someone changing their username is also present for someone simply creating a new account, and if a username change option is not available then the user will likely create a new account - possibly using the same password as the old one and otherwise doing things that might lead to compromised security.
It is a good idea to maintain an audit trail of username changes and disallow the creation of new accounts that use a previously-used username (at least if the username was last used within the past, say, year), but there is no reason that the username should ever be the primary key used to associate data with the user account in the first place, because there are legitimate purposes for a username change and all account records should be normalized to an abstract internal-only ID in the first place.
I would say as long as they are not able to change their unique identifier. I.e. they can change the name they show up as, but that name is tied back to an unchanging user ID number (this will make your DBAs happier too). I'd also make sure user's couldn't change their name to an old name of another user (to help mitigate the scam potential Anders is talking about). So you would be looking at storing all names a user went by at one point.
Might be better to have a request for username change, to handle legitimate cases (like the email case), and not have a user-automatable method of doing it.
As mentioned, allowing users to easily change usernames (let's call it "display name" to disambiguate) makes it easier for users to dodge the consequences of harassing or scamming other users. If your site has a social aspect, maybe consider whether bans, blocks, reports, chat histories, etc will carry through a username switch (ie will a user be aware that they are talking to the same account, even though the name has changed?).
Another point to consider is anonymity or privacy concerns. It's fairly frequent that someone makes an account with their real name and then for whatever reason regrets attaching their real identity to it. Sometimes this is because they were caught bullying, but is often for legitimate reasons as well like over-sharing personal details of their life, or they become the victim of bullying. This recent question comes to mind as a different example:
I accidentally entered password for a website as a username for another website
In this case, submitting a service ticket to be reviewed by a human or allowing a limited number of account name changes sound like reasonable approaches.