I've had a problem today, and I've decided to share it, so that others may one day benefit from this. I haven't been to the site in months, probably longer. When I came back, I didn't even remember I had an account in the first place, so I proceeded to register. My default username choice is Egon_Freeman, but the register form told me that it contains illegal characters (despite the underscore NOT being in the illegal characters list - fix that please?). So - my second, obvious username choice is EgonFreeman without the underscore, but the site told me that it was taken already. So okay - apparently I have an account here already. So I proceed to reset the password. On the Reset Password Form I entered my e-mail, and voilla - I got the reset password e-mail. But when I re-set my password and tried to log in, using combination EgonFreeman / (new password), it wouldn't work! I tried again, and it locked the account out for 13 minutes, I believe (I apologize for that, by the way). So I tried to reset my password again, only this time I used EgonFreeman as the user name, believing it to BE my username... The e-mail never arrived. Now, the problem could probably be obvious to some of You, but let me spell it out: my user name, as may be obvious, contains an underscore. I failed to read the entire e-mail message, which had my account name IN IT, because I do what we all do - I "scan" when I read: I was expecting a link to reset my password, so I scanned for a link - hence ignoring the rest of the message, and being blissfully oblivious to the problem. So I accidentally locked out some poor fellow's account. I must've registered my user name (Egon_Freeman) way back when the underscore was STILL a valid character in user names! But the register form FAILED to inform me that Egon_Freeman was taken - it instead just told me that it had an illegal character, leading me to assume that an account with an underscore was not possible to exist, which is OBVIOUSLY FALSE. So yeah, a fallacy on my end (failing to read the e-mail entirely), but the mechanism shows a certain logic I believe to be universal to a larger group of users. I realize that revealing an "already taken" account is technically a potential security issue, but then this issue is already present - as soon as a valid (but taken) username is entered, it shows that it's used already. So could You PLEASE change the error priority order? FIRST show if a username is taken, valid-by-current-standards or not, and THEN check for username validity. I don't know how probable it is for my case to pop up frequently (as in - an account with an illegal-by-current-standards character in it, almost identical to an existing legal one), but I just wanted to give You a heads-up. I know that some users (some of my friends, actually) use the register-form as a substitute for "checking if I have an account", because it's faster/more efficient: if I don't, I create it in the same step.
