Why should usernames be unchangable?

Question

I read everywhere (and see in practice) that usernames should not be changeable. When I ask why, 'security' is given as a reason.

I've been searching for a definitive answer as to why changing a username is insecure, but I can't seem to find the answer.

Could any of the security experienced people here answer this question?

Note: if you do not know the answer, please refrain from speculation. I've thought of a number of reasons myself, but I don't know the actual answer, hence the question.

UPDATE:
1: By userId I meant to refer to some sort of unique identifier, be it a database record id or some other unique id. I've been told several times that changing the username is bad for security, even if the username is not the primary/unique identifier for the system itself.

2: I do allow users to change their 'public name'. This is the name that is used to identify the user to the other (non-privileged) users. for example:

userId: 1234
username: john02
public name: John Jameson
email: [email protected]

3: As pointed out by Jason and The Rook, consistency seems the only good reason. I've the feeling this 'best practice' might be a leftover from somewhere in the past when usernames where actually used within the system to uniquely identify users.

Answer 1

If you don't allow people to change their usernames then some people are just going to create new accounts. I don't see any security risk in this, and many apps including SO allow you to change your name. If you change the name, keep the userid (primary key) the same so all of the data links up properly.

The only danger I see is if you can change your name to an account that already exists like 'admin'.

Answer 2

There are a number of reasons from a security aspect that you may not wish to allow users to change their names. However, as an all-out "NEVER do this" - I don't necessarily agree. But, allowing name changes creates quite a bit of extra work. If you are going to allow users to change their identities, you have to be very careful due to the reasons below.

1. Maintaining a consistent user identity. Let's say you run a message board and Troll_1 is on everybody's block list. If Troll_1 is able to change his or her name, then all those user filters are no good and you have some unhappy users.
2. Along with answer number 1, you also want to maintain consistency across your underlying systems. If users are allowed to change names, you have to make sure you check that you either, update every system that that user is using so that he or she does not lose (or gain) permissions into areas they are (or are not) allowed. Additionally, if a user changes his or her name and a new user wishes to use that name, you may, inadvertently, allow that new user access to the old user's information/data/whatever if you have not done due diligence in updating your systems.
3. Depending on what type of system you have, allowing someone to change their user name can make your system prone to abuse from a fraud standpoint. You could have someone switching their name back and forth pretending to be two different people in an attempt to scam someone. An unaware victim may easily fall for it. (Sounds stupid, I know, but I have seen people come up with crazier crap.)

Anyway, as I said - I don't believe it's necessarily a bad thing to allow users to change their names. However, it does create quite a bit more work for you, the developer. User names now can't be unique IDs in a database and user names now don't necessarily relate to someone (because they can be changed later), so you have to have a different system in place for expressing "uniqueness."