Security failure: requiring that create an account with a minimum or maximum account name size.

Why it’s a problem:

• Ham radio operators often like to use their world-unique radio callsigns to identify themselves and they are frequently four or five characters long. So they’ll need to resort to using their given names.
• People with relatively common given names will find that they can’t even use their own name as an account name, so they resort to made-up names, or worse – using their given name along with a year of birth, creating an even bigger security risk.

Also, in your user-feedback, don’t tell them how to social-engineer your security team. A simple and vague “input prohibited” would suffice, particularly if they’re trying to include something that your software or wetware tends to stumble with.