Sometimes we are a bit too comfortable with our passwords … Due to the current situation, I strongly recommend that you create a separate password for the DXO account and the forum account - if you haven’t already done so.
4 Likes
You should also enable MFA in the forum.
Add passkey (synced preferably) or a couple of hardware keys like Yubikeys.
How does that then work ?
Then you use passkeys, hardware key or an Authenticator to identify yourself.
An authapp will be an additional factor beyond name and password.
A passkeys are used instead of passwords. They are passwordless and all ways secure and always unique. They are based on asymmetrical key encryption.
On DxO forums I login with name and password and then I’m asked for one of my security keys which I have registered.
The use of MFA (multi-factor authentication) already contains a few hurdles for the inexperienced user.
In principle, it is like accessing a bank account: The first step is to log in and the second step is additional identification.
The additional identification can be carried out via hardware devices that are plugged into the USB port or held up to the screen to receive data via a flicker code.
The few smartphone users among us 
can download authenticator apps that turn the smartphone into a similar type of hardware solution.
Setting up the apps is a bit strange for the normal user, but there is no getting around it. Describing this setup here would certainly go too far, as there are several providers.
What is important from my point of view
- Each website requires its own password
- The browser must run on a different computer (e.g. smartphone) than the authentication software.
- Generated keys must always be backed up at short notice - in an encrypted database. It is best to also copy the QR code provided by the website, print it out and store it securely. Otherwise, if the smartphone is stolen or broken, the keys will be irretrievably lost.
It’s a lot of brain work, but it’s necessary. This year, for example, Google will switch all accounts to MFA. You can no longer log in without it.
For those on macOS and iCloud can have everything stored and replicated between the iCloud and all devices transparently.
DxO forum produces a list of one time codes to be stored/printed and used if the key is lost.
It should have been necessary to point this out but it fear it was necessary so thank you @gserim for speaking up.
No one in their right mind should ever re-use the same password anywhere. You really, really, must have a unique password for every place where you login. Similarly, you should always use two factor authentication (TFA) if the site you are accessing supports TFA.
1 Like
What an awful idea. Maintaining forum accounts is a big enough pain in the neck without 2FA. Secure unique passwords are a must though. Which entails a password manager. Highly recommend Bitwarden, it works in all browsers and is the most reliable, least trouble and inexpensive (free or $12/year).
2 Likes
You’ve made a point - an integrated solution is the best option. I’ve been using KeePassXC as a password manager for years and TOTP is now also integrated.
However, I think that some forum members first need to get to grips with the subject. Professionals quickly learn how to use Bitwarden and other tools - but others don’t. Perhaps the forum can now be used to raise awareness of the necessary behavior and tools. Then the forum operator can also increase the complexity of account security without members leaving.
All the forum operator would need to do to contribute to better security is require complex passwords. Minimum length, mix of letters and numbers, upper/lower case. Adding symbols creates headaches.
In a forum what matters are moderator passwords, not users. A hacked user account is quickly isolated and repaired. The spam right now is from bots creating new accounts.
1 Like
Apologies as it appears I’ve missed it:
Could you please elaborate on “the current situation” - what I read about is a spam issue. Are there cases of account breaches too?
Thx
I was referring to the situation where spam has been attacking the forum for a number of days without an effective solution being found. Spam is not an annoying pastime, but a means for a target - possibly a cyber attack - to either paralyze the server or gain access to the server’s data and penetrate associated networks and systems. This may seem exaggerated - but it is not unrealistic. As I understand it, countermeasures are currently being taken. At the time of the attacks, it seemed sensible to me to recommend a simple protective action for user accounts.
Thanks for your explanation @gserim.
So you are referring to the spam issue - using separate credentials with unique passwords is always a good Idea, even better with 2FA/passkey.
However happy to read that no account breaches are known (at least as of now).
Thx
1 Like