A user ID uniquely identifies every single user, a password doesn't. A password is an authentication mechanism, not an identifier. Every user accessing your system should have a distinct, and individual, user ID. No two should be alike. Since passwords are secret, two different users – with different user IDs – could conceivably pick the same password, and the system wouldn't be compromised. Why? Because despite having the same password, the two users still have their own unique IDs and therefore, couldn't access each other's accounts.
On the other hand, if users are allowed to change their IDs at will, a malicious user could create a phantom account, meaning one user with two IDs: an open one for legitimate uses and a covert one with unauthorized access to the system for underhanded purposes.
This isn't immediately intuitive. If allowing frequent password changes makes the login credentials more secure, shouldn't the same be true for frequent user name changes? Not exactly. Again, think about the difference between the two. Although they're used together, they're very different. One is an identifier (the user ID), the other an authenticator (the password).
Therefore, a good rule of thumb for updating login credentials is to allow password changes, but not user ID changes.
This was first published in December 2005