Security risk - FundingSecure posting full Usernames

Yes. It is time really that FS replaced this with a three stage sign in, and called me o****g (or something else!) in their investor lists.

The security risk arises because FS opt to use your website login ID (in full) to identify you on loans and only use 1 step login security.

My FC log in isnt my displayed user name.

You are both correct on that. So that might be a change that can be done here. But I like the idea of seeing the user name. If someone is stabbing me in the back, I want to know who.

Rogues up to mischief wouldn't be able to log in with d********t

Totally agree that using website login ID as the lender identifier / username is crazy. My point was really that usually someone can choose any username they like (baz**** springs to mind) without revealing their true identity.

You are misunderstanding how this technology works.

The method you describe is called 'brute force'.

Yes, there are programs that can "go through" millions of password combinations in seconds, often using rainbow tables or random keyspace attacks... However, they tend to work against a local file, such as a hashed and encrypted password file that may have been stolen. And if that file is stolen, your username is already exposed and there is nothing you can do about it.

The biggest problem here for a potential attacker is the network. You cannot submit millions of passwords in seconds to the funding secure website. I am assuming (but I do not know) that Funding Secure's website has been designed in a sane way, where X amount of failed login attempts in Y amount of time ends up in a locked account, or at least flags and alerts someone. It's usually something like 3 attempts in 120 seconds or something. This action alone would stop the vast majority of attackers in such a method. Others may attempt it, if they maybe have a few passwords that they know a specific user likes to use, but most won't, and probably won't use a automated program to do it either.

The bigger concern should be for people being "doxxed", where the user is stupid/naive/unfortunate enough to go and get their information leaked online and tied to their public online alias. Even then, I don't see Funding Secure being a particularly lucrative target. Depending on the attackers intent, a Facebook account can be much more valuable. How do you find your friends on Facebook? their email is the most accurate way, how do you login to Facebook again? oh yeah, email address and password. For all it's faults, Facebook actually does security fairly well from a technical standpoint.

Whilst I understand your intentions are entirely pure, I'm sorry to say you're simply wrong here, exposing the username isn't really a security risk, and if it is, it's a tiny one. In future, just use random usernames for each site you use if it concerns you that much (this will help against being doxxed), and, for the love of all that is good and pure in the world, use different passwords for every site you visit, including this one. Can't remember all those passwords? No, neither can I, hence I use LastPass. I literally have no idea what my password is to most things, but LastPass has done and excellent job of making new passwords and remembering them for me. And yes, LastPass is about as secure as it gets right now, just pick a strong and memorable master password as your master password is what encrypts all the other data (if you forget it, you're stuffed, essentially). LastPass can generate some pretty bad-ass passwords: X8gCeaWeo6BW8mD9Kej3WpMGRrjbV0KopRUd6SIQ, I just asked it to make, for example.

Good luck, stay safe, and don't be afraid of your username.