MediaWiki talk:Usernameblacklist

This page is currently inactive and is retained for historical reference. Either the page is no longer relevant or consensus on its purpose has become unclear. To revive discussion, seek broader input via a forum such as the village pump. Requests for username restrictions ought to be put on meta:Talk:Title blacklist

Administrators: Be extremely careful regarding the entries you place on this list. Simple typographical errors can block the creation of thousands of unintended usernames. Don't add a term unless you are completely sure it will not affect innocent users. For example, "EmbarassedMonkey" because it matches "ass". This is the Scunthorpe Problem. See here for general information about regexes (which are used here), and here for specific details about their use in PHP. This feature is available from an extension called Username Blacklist, written by Rob Church. Documentation can be found on the MediaWiki website.

other MediaWiki:Usernameblacklist : de, fr, es, it, ja, pt

Archives

Archive 1

I suggest that "Hate" and "Retard" be on the username blacklist, since they are both inflammatory words. NHRHS2010 ^Talk 15:33, 1 September 2007 (UTC)[reply]

Nope--"I Hate Evil" and "Flame Retardant" Matchups 03:07, 2 September 2007 (UTC)[reply]

One more, I also suggest that "Your Mom" would be placed on the blacklist as well. NHRHS2010 ^Talk 15:59, 1 September 2007 (UTC)[reply]

Sounds okay. I'd be willing to sacrifice "Your Mom is Beautiful." Matchups 03:07, 2 September 2007 (UTC)[reply]

This is a list of unqualifiedly inappropriate usernames without false positives, not a list of potentially slightly problematic usernames with many false positives. —Centrx→talk • 02:19, 22 September 2007 (UTC)[reply]

The word "DotCom" (spelled out) should be in the blacklist as well, since I am seeing many of the usernames containing 'DotCom'. NHRHS2010 ^Talk 21:34, 30 September 2007 (UTC)[reply]

If someone's name was "Dot Coman" for example, this would prevent them from making a username with the space removed. Tra (Talk) 21:50, 30 September 2007 (UTC)[reply]

I found two things to put in the blacklist. "Nigger" (since it is used to insult black people) and "Jesus Christ" (since it is often used abusively). NHRHS2010 ^Talk 22:05, 30 September 2007 (UTC)[reply]

Snigger? It should probably be OK in the list with word boundaries, and dotcom should be OK if it's limited to the end of the name. I'm not sure what the current consensus is on religious Jesus-related names. It's not really banned by the username policy. Note that "often used abusively" is not a criteria for inclusion in this list - only "always used abusively". -- zzuuzz ^(talk) 22:16, 30 September 2007 (UTC)[reply]

Another ones to put into the blacklist: "Jewish" (being used abusively), "Jimmy Wales" (being used to impersonate Jimbo Wales) and "puke" (inappropriate and disgusting word; I've seen usernames like User:Dmcdevit makes me puke, and 'Puke' is already on the Simple English Wikipedia's blacklist). NHRHS2010 ^Talk 22:23, 30 September 2007 (UTC)[reply]

Puke and Jewish are inappropriate for this list. This list does not discriminate on intention. See above comments. -- zzuuzz ^(talk) 22:27, 30 September 2007 (UTC)[reply]

Another one that is good for the blacklist: "Suck my dick". NHRHS2010 ^Talk 22:28, 30 September 2007 (UTC)[reply]

How common are these? This list is not intended to be a compendium of every bad name in the world. --Carnildo 22:37, 30 September 2007 (UTC)[reply]

I know, I already know that "cock" is inappropriate for the blacklist since someone's last name can be "Hancock". And also, "phuck" should be in the blacklist since 'phuck' is the alternative spelling of 'fuck' so vandals who are trying to create usernames with the word 'fuck' use the word 'phuck'. NHRHS2010 ^Talk 22:39, 30 September 2007 (UTC)[reply]

I'd like to add the characters 卐 and 卍 to the list. Any user who registered a name with those would be quickly blocked. I would add it myself; I'm sure this is uncontroversial, but I'm not totally sure how to handle the regexp so it works properly and I don't want to cause damage by doing it wrong. Mangojuice^talk 14:32, 4 October 2007 (UTC)[reply]

I think they were added before but removed, but I'm not exactly sure. ^demon^{[omg plz]} 17:16, 4 October 2007 (UTC)[reply]

Checked all the revisions; never added that I could find. Someone proposed blacklisting "nazi" above, but that appears in reasonable names like Nazim. Mangojuice^talk 19:26, 4 October 2007 (UTC)[reply]

They were added here, and removed here. ^demon^{[omg plz]} 19:30, 4 October 2007 (UTC)[reply]

Well, those matched only one username each, and that's why they were removed. Anyway, I added them back. The way I see it this is win-win: no one gets to troll with swastikas in their username, and if anyone was going to use one innocently, not realizing it was offensive, this will help them avoid that mistake. Mangojuice^talk 19:32, 4 October 2007 (UTC)[reply]

And I tested my regexp; seems to be working properly. I was just concerned that the special characters wouldn't work properly. Mangojuice^talk 19:33, 4 October 2007 (UTC)[reply]

I would also like to suggest "bitch", "phuck", and "suck my dick" onto the blacklist because they are clearly offensive words. NHRHS2010 ^Talk 00:01, 5 October 2007 (UTC)[reply]

I don't support adding "bitch" to the list; several usernames including "bitch" have been allowed after discussion. Also, false positives: User:abitchilly for instance. Mangojuice^talk 04:16, 5 October 2007 (UTC)[reply]

And feel free to find as many racist and other offensive words as possible and add them onto blacklist, only when they don't have false positives. NHRHS2010 ^Talk 00:02, 5 October 2007 (UTC)[reply]

While I agree that many uses of a swastika as part of a user name would be to cause problems, I should point out that the swastika is also still used as a mystical symbol by eastern religions and has been used as such since long before the Nazis co-opted its use in 1920. Thus there are legitimate uses for a swastika, so a blanket ban may not be appropriate. -- Flyguy649 ^talk _contribs 03:13, 5 October 2007 (UTC)[reply]

I was going to say exactly the same, but at a simple glance, people will mistake both. At least the left-sided one should be removed from the black list. Is the blacklist applied when a bureaucrat renames a user or creates one? If not, we could redirect people to one in case they want to use them. -- ReyBrujo 03:24, 5 October 2007 (UTC)[reply]

The blacklist is not applied to admin or bureaucrat username choices. I strongly disagree that this should ever be allowed in usernames, though. Despite the non-naziism associations swastikas can have, they are offensive to so many that they should just be completely avoided in usernames. Mangojuice^talk 04:16, 5 October 2007 (UTC)[reply]

How is "suck my dick" and "phuck" a false positive then? NHRHS2010 ^Talk 04:41, 5 October 2007 (UTC)[reply]

This is not a compendium of every possible offensive username. How common are either of those? --Carnildo 04:49, 5 October 2007 (UTC)[reply]

Carnildo seems to like to say "how common are those". Anyways, I would like to improve the word "penis" in the blacklist by changing (?i:peni(s|5)) to (?i:p(e|3)ni(s|5)) since '3' is often used as an 'e' for 'penis'. NHRHS2010 ^Talk 04:57, 5 October 2007 (UTC)[reply]

"Suck my dick" is excessively rare. "Phuck" has the potential for false positives since "phuc" is a name. Adding the (e|3) to the penis rule seems harmless to me, but also not very important. I'd rather not "leetify" all the rules here; such usernames will end up getting blocked anyway. Mangojuice^talk 05:02, 5 October 2007 (UTC)[reply]

Currently, all usernames of length 40 or more are being automatically reported to WP:UAA by a bot. I see no reason to allow good-faith users to create accounts that are just going to get reported for blocking immediately, so I'd like to add a regexp to limit length to at most 39. Specifically, I would add "(?i:.{40})" to the list. Any objections? There has been support for this at WT:U. Mangojuice^talk 15:19, 14 October 2007 (UTC)[reply]

Reports by that bot are not reports saying "this should be blocked" (unlike ones reported by humans, at least in theory). Bot reports are just names flagged for scrutiny. Any admin blocking usernames "because the bot said so" needs a talking to. SamBC(talk) 15:39, 14 October 2007 (UTC)[reply]

I agree... but if those names are even sometimes blocked, we would be doing the user a service by preventing them from registering that name in the first place. Mangojuice^talk 17:53, 14 October 2007 (UTC)[reply]

Many types of usernames are sometimes blocked. We would be doing newcomers a service by not letting them register at all. --Carnildo 18:40, 14 October 2007 (UTC)[reply]

Sound like you're arguing for blacklisting loads of things that have been rejected from the blacklist, Mangojuice. "Your mom", perhaps? How about \btroll? SamBC(talk) 18:46, 14 October 2007 (UTC)[reply]

Does anyone know what the *software* limit on a name length is? I would think it's the page length value, but I could be wrong. ^demon^{[omg plz]} 16:49, 14 October 2007 (UTC)[reply]

DanBealeCocks says he thought the limit was at 64 (see WT:U). Looking through the WP:UAA/Bot archives, I found a name of length 59... and I tried to register a username 78 characters long and it was rejected. Mangojuice^talk 21:11, 14 October 2007 (UTC)[reply]

I'm all for a software length limit (much better than arbitrarily blocking some usernames for being too long after the fact), but I think adding a regex to the blacklist is the wrong way to do it. If someone registers a username that matches one of the patterns on the blacklist, the message the user sees is "that username is disallowed because it contains a bad phrase, such as profanity". Obviously, showing this message to people who try to register overly long names will be confusing. Length should be a separate check that specifically indicates that the problem is that the username is too long. Is he back? 15:04, 15 October 2007 (UTC)[reply]

We could always edit that message, of course; it's at MediaWiki:Blacklistedusernametext. From my experimentation, the software limit, when hit, just returns a message saying the username is invalid, but doesn't say why. Mangojuice^talk 03:04, 16 October 2007 (UTC)[reply]

So, any thoughts on lowering the hard limit to 40-45 this way? -- lucasbfr ^talk 21:48, 10 November 2007 (UTC)[reply]

I'm opposed to it. Regular expressions can be expensive in terms of server operations, and every regex we add to this page is *another* one that has to be run over every single user registration on enwiki--which is a lot. Things like a length limit are better implemented at the software level, rather than admins mucking around with a blacklist that should be used sparingly. ^demon^{[omg plz]} 14:26, 13 November 2007 (UTC)[reply]

It seems to me we should have a general discussion about what this blacklist is for, because I'd like to see it ... maybe change, maybe just be clearer.

Let's think about good faith users first - because they are really the most important. If a good faith user chooses a bad username, it's better if the interface declines it directly than if the interface allows it but they are later blocked or forced to change their username. The former is impersonal, and will probably lead to the user just picking another username. The latter is personal and unwelcoming and may discourage the user from contributing altogether. Of course, if a good faith user chooses a good username that's hit by the blacklist, it's unfortunate. There are ways around it but I'm sure that would be annoying and discouraging, and the user may feel like they aren't allowed to choose the name they want. This is probably okay to happen once but if it happens a lot to the same user they may give up altogether (one cannot always expect one's username to be available on any site, especially one as popular as Wikipedia.)

Bad faith users we just want to keep out. If they intend to be irritating with their username, and the blacklist prevents this, all the better because it didn't take human effort. But, we get tons of bad-faith accounts anyway and have lots of people watching for them, so it's not worth inconveniencing good faith users to deal with bad faith ones. So I propose that the list contain filters:

1. For bad usernames that may be chosen inadvertently by good faith users. (Example: (?(\bm|M)(?i:oderator)) False positives are okay if they are expected to be rare and are easily avoided.
2. With no false positives, for bad usernames of any type that come up at least somewhat frequently. (Example: (?i:cunnilingus))
3. With few false positives, for trolling usernames that come up very frequently. (Example: (\bo|O)(?i:n wheels))

Does this seem sensible? Mangojuice^talk 20:48, 14 October 2007 (UTC)[reply]

Yes, except that the trolling usernames with some false positives would need to be so bizarre/rare as "on wheels", and they may not be necessary anyway. —Centrx→talk • 16:50, 20 October 2007 (UTC)[reply]

Admittedly, "on wheels" is the only example I can think of that fits that condition. But we never know, another vandal like that could turn up someday. Mangojuice^talk 18:32, 24 October 2007 (UTC)[reply]

We've been getting hit by the "Carboncopypro" spammer, who creates user accounts and uses them to advertise his crap. here are the accounts (so far).
Carboncopyproleads1 (talk · contribs · deleted contribs · nuke contribs · logs · filter log · block user · block log)
Carboncopypromoney1 (talk · contribs · deleted contribs · nuke contribs · logs · filter log · block user · block log)
Carboncopypromlm (talk · contribs · deleted contribs · nuke contribs · logs · filter log · block user · block log)
Jaykubassekcarboncopypro (talk · contribs · deleted contribs · nuke contribs · logs · filter log · block user · block log)
Carboncopyscam (talk · contribs · deleted contribs · nuke contribs · logs · filter log · block user · block log)
Jaykubassekcarboncopy1 (talk · contribs · deleted contribs · nuke contribs · logs · filter log · block user · block log)
Carboncopypro12 (talk · contribs · deleted contribs · nuke contribs · logs · filter log · block user · block log)
Carboncopyscam (talk · contribs · deleted contribs · nuke contribs · logs · filter log · block user · block log)
Wmicarboncopypro (talk · contribs · deleted contribs · nuke contribs · logs · filter log · block user · block log)
Carboncopyproteam (talk · contribs · deleted contribs · nuke contribs · logs · filter log · block user · block log)
Carboncopyproreview (talk · contribs · deleted contribs · nuke contribs · logs · filter log · block user · block log)

See also - Carbon_Copy_Pro_3

See also - Carbon_Copy_Pro_2

See also - Carbon_Copy_Pro_spam

He has used a wide assortment of links, and we have resorted to blacklisting, but the accounts are still created. Is this correct phrase *(?i:carboncopypro), and if not what is best to avoid any Scunthorpe Problems?

Thanks, --Hu12 (talk) 06:02, 21 February 2008 (UTC)[reply]

Blacklisting a spammer's user will not prevent him from creating accounts; he can just change infinitely the name he uses. —Centrx→talk • 21:14, 9 March 2008 (UTC)[reply]

For User:Kyoko, who has been targeted by JtV for over a year now. This has been discussed on checkuser-l - Alison ^❤ 23:56, 11 May 2008 (UTC)[reply]

• 'Poop'. Seems to crop up reasonably regularly in usernames of vandalism only/troll accounts. --Kurt Shaped Box (talk) 22:54, 10 June 2008 (UTC)[reply]
  • I first and for a long time knew "poop" as "ship's stern" and imitative of the noise of a ship's siren. I only recently came across it used to mean "faeces". Anthony Appleyard (talk) 09:29, 6 September 2008 (UTC)[reply]

I have made two small changes -- upgrading the "admin" regex to a simple case-insensitive, boundaryless match. We have had a large number of username creations of the form "xxxadmin" reported to WP:UAA, each of which consumes a fair amount of admin time to investigate, counsel, block, etc. The existing regex was not sufficient to prevent them. Upgrading the regex may cause an extremely tiny number of false positives (badminton fans?) but it the cost/benefit ratio is tremendous.

Also, there has been a spate of "murder" registrations, I suspect all by the same person (or maybe it's a gaming clan or similar nonsense), so I added that; it can be considered temporary as the person/persons will probably give up at some point. --MCB (talk) 21:12, 19 June 2008 (UTC)[reply]

Can't we exclude words like "badminton"? I'm almost sure that's possible, but I don't know enough about regular expressions to do it myself. --Conti|✉ 21:25, 19 June 2008 (UTC)[reply]

Seems to me that a regex that banned any username where "admin" was at one end or the other of a word, but permitted usernames where "admin" was in the middle, would solve the problems. Ban "Admin23" and "JoeAdmin", but not "badminton". Cases like "XxxAdmin32xxX" would still need to be handled on an individual basis. --Carnildo (talk) 23:25, 19 June 2008 (UTC)[reply]

Sounds good to me. --Conti|✉ 23:59, 19 June 2008 (UTC)[reply]

The regex already handled this wisely, matching "Admin23" and "JoeAdmin" but not "badminton". The blacklist is not a bludgeon. False positives only inconvenience and deter innocent registrants; disruptors will always be able to create disruptive usernames. Preventing "xxxadmin" is helpless against "Adm1n" —Centrx→talk • 03:59, 7 July 2008 (UTC)[reply]

Except that the real problem is "xxxadmin", not the hypothetical "badminton", and the more general-case regex has saved a lot of work at WP:UAA over the last couple of weeks. And "Adm1n" is so lame that it's probably not even worth blocking, since no one would credibly confuse it with an actual admin. I think we need to see actual evidence of false positives before try to over-fine-tune this. The wasted time of a number of people dealing with WP:UAA, to my mind, vastly outweighs a hypothetical future user who might not get his/her first choice of user name. --MCB (talk) 05:01, 7 July 2008 (UTC)[reply]

"Badminton" is not hypothetical; people actually have this username and it is a "real" problem for anyone deterred from their chosen username that matches "*admin*". We could eliminate more work at WP:UAA by requiring all new users to be approved before choosing a username. "xxxadmin" is pretty lame, and I don't see anyone confusing it with an actual admin. Actual false positives are, for example, existing users User:Badmintonhist and User:Padminiraman.

Also, you should not be edit warring on a protected page to implement your new change in contradiction of the prevailing consensus for the usage of this list, which was re-affirmed in this very discussion section where your change met multiple objections about false positives. You need to revert back to the long-standing version of the page. —Centrx→talk • 05:21, 7 July 2008 (UTC)[reply]

The change has been stable and unreverted since June 19, which gives it at least some presumptive policy weight. Carnildo's and Conti's counterproposal did not seem particularly strongly held and there was no further discussion after June 19. As a policy question, the unlikely possibility of this causing harm weighed against the actual harm of additional work for admins and patrollers -- in other words, the cost/benefit ratio -- leads me to believe that the more general regex is the wiser choice. Revert it if you choose -- I won't edit war over this -- but if you do perhaps you'll join us over at WP:UAA and help out with the workload. (By the way, there was an "xxxadmin" within a very short time after your revert.) Best, MCB (talk) 06:12, 7 July 2008 (UTC)[reply]

Apparently our regexen are too complex and are causing server crashes. Tim has disabled the blacklist pending resolution. Stifle (talk) 21:30, 25 July 2008 (UTC)[reply]

Could it be turned on again to test, after the complex Grawp expression was removed? Thanks. --MCB (talk) 21:33, 25 July 2008 (UTC)[reply]

I'd assume that if it were that simple (just to remove one regex) that the sysadmins might have done that, or told us to do it, rather than disabling the whole thing. Not sure though. - Rjd0060 (talk) 01:11, 26 July 2008 (UTC)[reply]

Removing the one regex will fix it for now, but what about the next time an admin gets too clever for his own good? --Carnildo (talk) 03:43, 26 July 2008 (UTC)[reply]

There are two issues: (1) the extension has no active maintainer; (2) it should never be possible for an administrator to cause the type of issues that were being caused by these regexes. When both of these issues are resolved, the extension will be re-enabled. --MZMcBride (talk) 04:04, 26 July 2008 (UTC)[reply]

Does the title blacklist also have these issues? --Carnildo (talk) 05:01, 26 July 2008 (UTC)[reply]

The title blacklist was created more recently, and also still has an active maintainer, so it probably works quite differently - I'm not sure if it's still prone to the same regex bugs, though. krimpet✽ 05:06, 26 July 2008 (UTC)[reply]

I agree that it should not be possible for an admin to cause the type of issue that was caused by that regex, but that seems to me to be a code issue, not a policy one. Surely it is a best practice to check the input to a parser (etc.) for excessive length or complexity? Unfortunately the lack of the blacklist is causing a lot of work for admins. As for now, surely a simple note advising people not to create excessively complex regexes would suffice, no? We trust admins not to mass-delete articles, surely we can be trusted not to break the server. So I guess I'd call this a "please fix soonest". Thanks, --MCB (talk) 07:13, 26 July 2008 (UTC)[reply]

How do you detect, on a code level, "too complex"? It seems to me that doing so in the general case means solving the halting problem. --Carnildo (talk) 07:48, 26 July 2008 (UTC)[reply]

I don't mean formal computability, obviously, just simple limits on things like the number of objects in data structures, recursion counters, etc. I have nothing but admiration for the developers, but it's axiomatic in software development that bad data should not cause a program to crash. --MCB (talk) 20:34, 26 July 2008 (UTC)[reply]

Note: This feature has since been re-enabled (Special:Version). --MZMcBride (talk) 20:04, 26 July 2008 (UTC)[reply]

Thank you! --MCB (talk) 20:34, 26 July 2008 (UTC)[reply]

Username blacklist functionality has been added to the TitleBlacklist extension, making this list effectively obsolete; all blacklisted titles will now also be blacklisted from creation (preventing, for example, the curious situation before where someone could create a blacklisted username, but their userspace would be protected from creation...). New blacklist entries should be added to MediaWiki:Titleblacklist instead, optionally with the <newaccountonly> parameter if only the username is to be blacklisted. krimpet✽ 02:54, 10 August 2008 (UTC)[reply]

Thanks for the update. Could someone please merge in the material from this list to the Titleblacklist, however? It looks like the Admin, Sysop, etc. regexes were just dropped, not merged. Thanks, MCB (talk) 04:45, 10 August 2008 (UTC)[reply]

:-) --MZMcBride (talk) 06:59, 10 August 2008 (UTC)[reply]

Excellent! Thanks. --MCB (talk) 07:07, 10 August 2008 (UTC)[reply]