Share code snippets.
If your site puts the username in the URL of the user’s profile page, what would happen if I created a user named login? If I were to populate my profile with the text “Our log-in page has moved, please click here to log in”, with a link to my credential-harvesting site, how many of your users do you think I could fool? If your site creates email addresses from usernames, what happens if I sign up as a user named webmaster or postmaster? Will I get email directed to those addresses for your domain? Could I potentially obtain an SSL certificate for your domain with the right username and auto-created email address? If your site creates subdomains from usernames, what happens if I sign up as a user named www? Or smtp or mail?