On Wednesday, February 24, 2021 at 1:07:55 p.m. PST (Pacific Standard Time; yes, I used the “Show original” trick in Gmail to read the email headers), I received an email from help@scratch.mit.edu confirming that a username change had been applied to my account because the old username contained personal information. However, I noticed a caveat with this: my old username was recycled and available for reuse. In this suggestion, I propose for usernames not to be recycled when a username is changed by the Scratch Team because accounts could potentially get hacked on third-party websites (such as Ocular, the Scratch Wiki (international), and Mod Share IV) that use Scratch accounts to verify account ownership when logging in or resetting your password. Cases like JS_Coder, CapTV, and moonlark-'s old usernames being reregistered for impersonation or lying took a while for the accounts containing the old usernames to get deleted by the Scratch Team and for the cases to get closed. Even DipLeChip and Fireflew had old usernames which were reregistered (but not deleted). Currently, I have a blocked English Scratch Wiki account associated with my old username, which could be used to privately message me by looking at the email address associated with the Scratch Wiki account in the preferences after using Special:ScratchPasswordReset if someone reregistered my old username.

The only time username recycling should be allowed is if there is a verified case of a trademark infringement notification received by the Scratch Team. However, it should be checked that the owner(s) of the trademarked name are extremely reputable before recycling the username. Otherwise, a malevolent employee that has access to a Scratch account with the same username may be able to log into Ocular or reset a Scratch Wiki or Mod Share IV password. In that case, recycling usernames may not even be acceptable if emailing username@scratch.mit.edu automatically forwards it to the account owner's email address (but that could make private messaging any Scratcher easier if that trick was known. I use this as an example because you can email the username in the vanity URL of a Facebook profile (with the @facebook.com domain afterward) to send an email to an individual or company if you don't know their real email).

Support! Recycled usernames should not be allowed at all. This could prevent hacking, spam, or deceive nets from the former owner.

dhfbei8987 wrote:

Support! Recycled usernames should not be allowed at all. This could prevent hacking, spam, or deceive nets from the former owner.

Yes! On Scratch, I am correctly recorded as having 1000+ posts. On Ocular, my post count is quite incorrect because Ocular wasn't specifically designed to handle username changes. Redirecting profile URLs could assure the user that the account wasn't deleted or that the Scratch website wasn't broken.

46009361 wrote:

dhfbei8987 wrote:

Support! Recycled usernames should not be allowed at all. This could prevent hacking, spam, or deceive nets from the former owner.

Yes! On Scratch, I am correctly recorded as having 1000+ posts. On Ocular, my post count is quite incorrect because Ocular wasn't specifically designed to handle username changes. Redirecting profile URLs could assure the user that the account wasn't deleted or that the Scratch website wasn't broken.

It's not jeffalo's fault, it's because ScratchDB, where he gets the data, scraped the data beforehand and thinks your old account username was a different person.

Raihan142857 wrote:

46009361 wrote:

dhfbei8987 wrote:

Support! Recycled usernames should not be allowed at all. This could prevent hacking, spam, or deceive nets from the former owner.

Yes! On Scratch, I am correctly recorded as having 1000+ posts. On Ocular, my post count is quite incorrect because Ocular wasn't specifically designed to handle username changes. Redirecting profile URLs could assure the user that the account wasn't deleted or that the Scratch website wasn't broken.

It's not jeffalo's fault, it's because ScratchDB, where he gets the data, scraped the data beforehand and thinks your old account username was a different person.

I know it's not Jeffalo's fault; DatOneLefty has the forum indexing data.

Support. Even though my real full name is kinda too rare in my region, I wouldn't allow another child (who has my real full name as their name) having a real full name, and then exposing their data to the public. I'm glad I changed my old student account username, though.

Support! My Scratch username on another account contained my last name, so I changed it- but I wouldn’t want someone else to use it as my last name is pretty much only a last name.

If a Scratch username contained personal information, we wouldn’t want someone making the same mistake again.

Or, someone might purposely take your old Scratch username to reset your password on another website whose Scratch account is linked. Also, what if they stole your profile picture and bypassed the bad word detector?

I have a (currently) blocked Scratch Wiki account that was approved because the request notes were good, but it's under my old username, which is still available for registration. The person who takes my old username can then use Special:ScratchPasswordReset to reset the password and see the email connected to the account (and change it to their email), with the possibility of being doxxed through an unauthorized publishing of the email without permission.

Bump.

Bump.

Why does this keep getting taken off the first page? Are there so many new suggestions during the COVID-19 pandemic?

Users could impersonate users using exactly their former name, which against the Community Guidelines. This feature would make that impossible to do.

Support. When changing a username, an account should be created with the old username and deleted immediately to prevent it from being reused.

According to this, Scratch Wiki accounts whose corresponding Scratch accounts were registered after the Wiki account might not be able to log into the Wiki Account.

Obvious support for this to improve the security of the site.

SausageMcSauce wrote:

According to this, Scratch Wiki accounts whose corresponding Scratch accounts were registered after the Wiki account might not be able to log into the Wiki Account.

Obvious support for this to improve the security of the site.

Yeah. I tried and it said the following:

The English Scratch Wiki page wrote:

The user 46009361 is not registered on this wiki.

When I clicked the GitHub link, I hovered over jacob-g and saw his full first and last name, so please be careful with what you link on Scratch. However, I didn't know about this part of the code in advance:

InternationalScratchWiki/mediawiki-scratch-login/i18n/en.json on GitHub wrote:

{"scratchlogin-account-age-error": "The user '''$1''' was registered before the Scratch account is created. The action was prevented for security reasons."}

I thought that the Scratch Wiki didn't check it against the account ID or time registered on Scratch or anything like that, so I was worried my wiki account (or JSOadmin on the Scratch Wiki was registered before Scratch) would get hacked this way. But, I guess not!

However, I'm not sure about Mod Share IV or other websites.

46009361 wrote:

When I clicked the GitHub link, I hovered over jacob-g and saw his full first and last name, so please be careful with what you link on Scratch.

Most websites contain full names of people. I don't think that makes them not allowed on Scratch.

Maximouse wrote:

46009361 wrote:

When I clicked the GitHub link, I hovered over jacob-g and saw his full first and last name, so please be careful with what you link on Scratch.

Most websites contain full names of people. I don't think that makes them not allowed on Scratch.

Hmm… maybe. I won't type it directly into the Scratch website, though.

Impersonation would really be a problem without this. Even though it doesn't happen often, it does happen – support.

mybearworld wrote:

Impersonation would really be a problem without this. Even though it doesn't happen often, it does happen – support.

And, people may still believe it's real due to the fact that it's not just an uppercase i substituted for a lowercase L.

Due to the Scratch blocks, the link to your three-thousandth (or thirty-hundredth) post in your signature crashes and reloads on mobile Safari on my iPad Mini 4 (sometimes shows as iPad Mini 5,1 by software like YouTube Kids for some reason).

Bump.

46009361 wrote:

Bump.

46009361 wrote:

Bump.

Please don’t bump twice