Preventing Username and Password Matches When Changing a Username

The only sensible way to get what you want is to ask for the password when a user changes their username. This way the server always has the information needed to conduct an accurate comparison between the username and password during a change, and prevent matches.

As sensitive operations – such as changing passwords, or in your case usernames – should require a password anyways (to limit the damage of XSS), this shouldn’t be a problem.

Your only other alternative is to try every possible case combination, hash it, and compare that to the stored hash when a user changes their username.

Leave a Reply

Your email address will not be published. Required fields are marked *