Do account names need to be protected?
I signed into my bank's website and they demanded I change my username because it was found on the web--duh, it's my name and I've been online since the old BBS days. Huh? Since when are account names something to be protected?
The rules presented for usernames included that it couldn't be part of my e-mail. However, after rejecting (firstname)(lastname) their system suggested (firstname)_(lastname). Is the latter really any more secure?
Is there reason behind this or is it just "cargo cult" behavior?
What I think the reason for that is to avoid credentials reuse across multiple websites.
No Firstname Lastname Usernames
I believe is because they try to avoid phishing. In case a user's username is Bill Mat and his email address is
email@example.com, you give a scammer a good base to create a better phishing email.