(no title)

My opinion is that having number based user accounts is fine as long as you don't provide any access to them in any of your request parameters.

They should be safely maintained server side, within sessions, and any request for other user's details is done via their username.

My last point is that a user should never be able to find out their user id #.

If you allow users to change their username, then you put the responsibility in the users hands to update their external links.

Eg. If I change my twitter handle, I have no idea how many places I have that referenced - so I just don't do it (not sure if you even can change it at will actually)