diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4738b7360..885b625f2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,8 @@
 	* Allow empty strings in CLI do-install [#1435](https://github.com/FreshRSS/FreshRSS/pull/1435)
 * Security
 	* No version number for anonymous users [#1404](https://github.com/FreshRSS/FreshRSS/issues/1404)
+* Misc.
+	* Relaxed requirements for username to `/^[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}/$` [#1423](https://github.com/FreshRSS/FreshRSS/pull/1423)
 
 
 ## 2016-12-26 FreshRSS 1.6.2
diff --git a/app/Controllers/javascriptController.php b/app/Controllers/javascriptController.php
index 00a7b5c38..6336106a9 100755
--- a/app/Controllers/javascriptController.php
+++ b/app/Controllers/javascriptController.php
@@ -26,7 +26,7 @@ class FreshRSS_javascript_Controller extends Minz_ActionController {
 		header('Pragma: no-cache');
 
 		$user = isset($_GET['user']) ? $_GET['user'] : '';
-		if (ctype_alnum($user)) {
+		if (FreshRSS_user_Controller::checkUsername($user)) {
 			try {
 				$salt = FreshRSS_Context::$system_conf->salt;
 				$conf = get_user_configuration($user);
diff --git a/app/Controllers/userController.php b/app/Controllers/userController.php
index 9d6ae18e6..593e24cf2 100644
--- a/app/Controllers/userController.php
+++ b/app/Controllers/userController.php
@@ -34,6 +34,16 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 		return $passwordHash == '' ? '' : $passwordHash;
 	}
 
+	/**
+	 * The username is also used as folder name, file name, and part of SQL table name.
+	 * '_' is a reserved internal username.
+	 */
+	const USERNAME_PATTERN = '[0-9a-zA-Z]|[0-9a-zA-Z_]{2,38}';
+
+	public static function checkUsername($username) {
+		return preg_match('/^' . self::USERNAME_PATTERN . '$/', $username) === 1;
+	}
+
 	/**
 	 * This action displays the user profile page.
 	 */
@@ -104,7 +114,7 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 			$userConfig = array();
 		}
 
-		$ok = ($new_user_name != '') && ctype_alnum($new_user_name);
+		$ok = self::checkUsername($new_user_name);
 
 		if ($ok) {
 			$languages = Minz_Translate::availableLanguages();
@@ -187,7 +197,7 @@ class FreshRSS_user_Controller extends Minz_ActionController {
 		$db = FreshRSS_Context::$system_conf->db;
 		require_once(APP_PATH . '/SQL/install.sql.' . $db['type'] . '.php');
 
-		$ok = ctype_alnum($username);
+		$ok = self::checkUsername($username);
 		if ($ok) {
 			$default_user = FreshRSS_Context::$system_conf->default_user;
 			$ok &= (strcasecmp($username, $default_user) !== 0);	//It is forbidden to delete the default user
diff --git a/app/Models/Auth.php b/app/Models/Auth.php
index b3255cfbd..476627e10 100644
--- a/app/Models/Auth.php
+++ b/app/Models/Auth.php
@@ -182,7 +182,7 @@ class FreshRSS_Auth {
 
 class FreshRSS_FormAuth {
 	public static function checkCredentials($username, $hash, $nonce, $challenge) {
-		if (!ctype_alnum($username) ||
+		if (!FreshRSS_user_Controller::checkUsername($username) ||
 				!ctype_graph($challenge) ||
 				!ctype_alnum($nonce)) {
 			Minz_Log::debug('Invalid credential parameters:' .
@@ -211,7 +211,7 @@ class FreshRSS_FormAuth {
 			// Token has expired (> 1 month) or does not exist.
 			// TODO: 1 month -> use a configuration instead
 			@unlink($token_file);
-			return array(); 	
+			return array();
 		}
 
 		$credentials = @file_get_contents($token_file);
diff --git a/app/Models/Feed.php b/app/Models/Feed.php
index 97cb1c47e..7a9cf8612 100644
--- a/app/Models/Feed.php
+++ b/app/Models/Feed.php
@@ -442,7 +442,7 @@ class FreshRSS_Feed extends Minz_Model {
 				file_put_contents(USERS_PATH . '/_/log_pshb.txt', date('c') . "\t" . $text . "\n", FILE_APPEND);
 			}
 			$currentUser = Minz_Session::param('currentUser');
-			if (ctype_alnum($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) {
+			if (FreshRSS_user_Controller::checkUsername($currentUser) && !file_exists($path . '/' . $currentUser . '.txt')) {
 				touch($path . '/' . $currentUser . '.txt');
 			}
 		}
diff --git a/app/Models/UserDAO.php b/app/Models/UserDAO.php
index 32bc6de2f..a60caf395 100644
--- a/app/Models/UserDAO.php
+++ b/app/Models/UserDAO.php
@@ -85,7 +85,7 @@ class FreshRSS_UserDAO extends Minz_ModelPdo {
 	}
 
 	public static function touch($username = '') {
-		if (($username == '') || (!ctype_alnum($username))) {
+		if (!FreshRSS_user_Controller::checkUsername($username)) {
 			$username = Minz_Session::param('currentUser', '_');
 		}
 		return touch(join_path(DATA_PATH , 'users', $username, 'config.php'));
diff --git a/app/install.php b/app/install.php
index 986a7dc60..9a88e0f37 100644
--- a/app/install.php
+++ b/app/install.php
@@ -553,7 +553,7 @@ function printStep2() {
 		<div class="form-group">
 			<label class="group-name" for="default_user"><?php echo _t('install.default_user'); ?></label>
 			<div class="group-controls">
-				<input type="text" id="default_user" name="default_user" required="required" size="16" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" />
+				<input type="text" id="default_user" name="default_user" required="required" size="16" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" value="<?php echo isset($_SESSION['default_user']) ? $_SESSION['default_user'] : ''; ?>" placeholder="<?php echo httpAuthUser() == '' ? 'alice' : httpAuthUser(); ?>" tabindex="3" />
 			</div>
 		</div>
 
diff --git a/app/views/auth/formLogin.phtml b/app/views/auth/formLogin.phtml
index a8213b7ae..99be6059c 100644
--- a/app/views/auth/formLogin.phtml
+++ b/app/views/auth/formLogin.phtml
@@ -9,7 +9,7 @@
 		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<div>
 			<label for="username"><?php echo _t('gen.auth.username'); ?></label>
-			<input type="text" id="username" name="username" size="16" required="required" maxlength="16" pattern="[0-9a-zA-Z]{1,16}" autofocus="autofocus" />
+			<input type="text" id="username" name="username" size="16" required="required" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" autofocus="autofocus" />
 		</div>
 		<div>
 			<label for="passwordPlain"><?php echo _t('gen.auth.password'); ?></label>
diff --git a/app/views/auth/register.phtml b/app/views/auth/register.phtml
index 1f9976391..23bda25ce 100644
--- a/app/views/auth/register.phtml
+++ b/app/views/auth/register.phtml
@@ -5,7 +5,7 @@
 		<input type="hidden" name="_csrf" value="<?php echo FreshRSS_Auth::csrfToken(); ?>" />
 		<div>
 			<label class="group-name" for="new_user_name"><?php echo _t('gen.auth.username'), '<br />', _i('help'), ' ', _t('gen.auth.username.format'); ?></label>
-			<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z]{1,16}" />
+			<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" autocomplete="off" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" />
 		</div>
 
 		<div>
diff --git a/app/views/user/manage.phtml b/app/views/user/manage.phtml
index a32247d14..793a3a0bd 100644
--- a/app/views/user/manage.phtml
+++ b/app/views/user/manage.phtml
@@ -22,7 +22,7 @@
 		<div class="form-group">
 			<label class="group-name" for="new_user_name"><?php echo _t('admin.user.username'); ?></label>
 			<div class="group-controls">
-				<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" maxlength="16" autocomplete="off" pattern="[0-9a-zA-Z]{1,16}" placeholder="demo" />
+				<input id="new_user_name" name="new_user_name" type="text" size="16" required="required" autocomplete="off" pattern="<?php echo FreshRSS_user_Controller::USERNAME_PATTERN; ?>" placeholder="demo" />
 			</div>
 		</div>
 
diff --git a/cli/_cli.php b/cli/_cli.php
index 7d1a7c6b2..f5e36eabc 100644
--- a/cli/_cli.php
+++ b/cli/_cli.php
@@ -20,7 +20,7 @@ function fail($message) {
 }
 
 function cliInitUser($username) {
-	if (!ctype_alnum($username)) {
+	if (!FreshRSS_user_Controller::checkUsername($username)) {
 		fail('FreshRSS error: invalid username: ' . $username . "\n");
 	}
 
diff --git a/cli/create-user.php b/cli/create-user.php
index 444264cc7..c9e350c14 100755
--- a/cli/create-user.php
+++ b/cli/create-user.php
@@ -17,7 +17,7 @@ if (empty($options['user'])) {
 		" --language en --email user@example.net --token 'longRandomString --no-default-feeds' )");
 }
 $username = $options['user'];
-if (!ctype_alnum($username)) {
+if (!FreshRSS_user_Controller::checkUsername($username)) {
 	fail('FreshRSS error: invalid username “' . $username . '”');
 }
 
diff --git a/cli/delete-user.php b/cli/delete-user.php
index 6f0e86e17..baa81b893 100755
--- a/cli/delete-user.php
+++ b/cli/delete-user.php
@@ -10,7 +10,7 @@ if (empty($options['user'])) {
 	fail('Usage: ' . basename(__FILE__) . " --user username");
 }
 $username = $options['user'];
-if (!ctype_alnum($username)) {
+if (!FreshRSS_user_Controller::checkUsername($username)) {
 	fail('FreshRSS error: invalid username “' . $username . '”');
 }
 
diff --git a/cli/do-install.php b/cli/do-install.php
index c9fa3f5ab..c2f5b286d 100755
--- a/cli/do-install.php
+++ b/cli/do-install.php
@@ -48,7 +48,7 @@ if ($requirements['all'] !== 'ok') {
 	fail($message);
 }
 
-if (!ctype_alnum($options['default_user'])) {
+if (!FreshRSS_user_Controller::checkUsername($options['default_user'])) {
 	fail('FreshRSS invalid default username (must be ASCII alphanumeric): ' . $options['default_user']);
 }
 
diff --git a/cli/reconfigure.php b/cli/reconfigure.php
index 5294dd2df..da451b3ef 100755
--- a/cli/reconfigure.php
+++ b/cli/reconfigure.php
@@ -45,7 +45,7 @@ foreach ($dBparams as $dBparam) {
 }
 $config->db = $db;
 
-if (!ctype_alnum($config->default_user)) {
+if (!FreshRSS_user_Controller::checkUsername($config->default_user)) {
 	fail('FreshRSS invalid default username (must be ASCII alphanumeric): ' . $config->default_user);
 }
 
diff --git a/lib/lib_rss.php b/lib/lib_rss.php
index 560e5b256..cdd08719d 100644
--- a/lib/lib_rss.php
+++ b/lib/lib_rss.php
@@ -285,7 +285,7 @@ function uSecString() {
 }
 
 function invalidateHttpCache($username = '') {
-	if (($username == '') || (!ctype_alnum($username))) {
+	if (!FreshRSS_user_Controller::checkUsername($username)) {
 		Minz_Session::_param('touch', uTimeString());
 		$username = Minz_Session::param('currentUser', '_');
 	}
diff --git a/p/api/greader.php b/p/api/greader.php
index 4965ffd3b..01eca6d4f 100644
--- a/p/api/greader.php
+++ b/p/api/greader.php
@@ -152,7 +152,7 @@ function authorizationToUser() {
 		$headerAuthX = explode('/', $headerAuth, 2);
 		if (count($headerAuthX) === 2) {
 			$user = $headerAuthX[0];
-			if (ctype_alnum($user)) {
+			if (FreshRSS_user_Controller::checkUsername($user)) {
 				FreshRSS_Context::$user_conf = get_user_configuration($user);
 				if (FreshRSS_Context::$user_conf == null) {
 					Minz_Log::warning('Invalid API user ' . $user . ': configuration cannot be found.');