title: Granted access
lang: en

> You can — and should — be taking some precautions to ensure that, say, an auto-created subdomain for a user account doesn’t conflict with a pre-existing subdomain you’re actually using or that has a special meaning, or that auto-created email addresses can’t clash with important/pre-existing ones.
>
> But to really be careful, you should probably also just disallow certain usernames from being registered.
> 
> <cite>*[Let's talk about usernames](https://www.b-list.org/weblog/2018/feb/11/usernames/)* ([cache](/david/cache/f11fd87b74b7e887269b0e4f300de405/))</cite>

Let me tell you a story about that. I have the username *david* on Bitbucket. You might think it’s quite harmless and I do agree.

There is no such week for the last ten years without somebody giving me write access to a private repository. This is not intentional, it is a user experience security flaw that is really hard to spot. And still, I get access to so many critical stuff!

Even with good will, I cannot find an elegant solution to that confusion. The first year I sent an humorous email about that to each owner and then I gave up. Now imagine if I was nasty…

My point is: even with a strong password — two-factors authentication or whatever — when the user interface is confusing social hacking is made incredibly simple.