🔒 Security / Authentication Update

July 20, 2022 12:12 pm

Over the last few months, the tape holding together our aging authentication system has started to fall and really show its age. You've probably been redirected to the login screen while trying to do anything, not been able to get the wardrobe or forums to load, and sometimes felt that it’s completely broken.

So instead of adding more tape to the system, we're introducing a centralized authentication site that'll handle logging you in across Subeta. Clicking on any login or logout button from this site or new Subeta should redirect you to https://auth.subeta.net, where you can log in.

I want to talk through a few of the benefits directly, and we'll be discussing this more in the coming days. As part of this change, we will be removing PIN protection but will be offering 2FA (getting a code sent to your email or phone) as soon as possible.

Benefits

Central source of truth

auth.subeta.net has one mission: account management. That's it! We're going to move registration there as soon as possible, with an avatar builder and pet creation, but its only job is account management.

You've probably noticed when clicking on a link to login with Google that you're taken to a non-google domain (sometimes youtube) where you log in, and it redirects you. That is the centralized account management service, doing the important work behind the scenes and then sending you to the website you're trying to use and saying "This user is all good, I've verified them!".

2022 Encryption Method

The method used to encrypt Subeta passwords in our database is from PHP 5.7. We're now using PHP 8.1 on all of our servers. We have to include a special package in our PHP installation to have access to the 5.7 hashing methods.

We encrypt your cookie and decrypt it on the server, and the key is what tells the site that you're valid and not using some fake credentials.

This new management system uses modern hashing which are impossible (as much as anything is impossible) to crack. And they give us the benefit of...

User-based Keys

Each cookie (what we set in your browser to say who you are) is salted with a special key that is unique to your account. We're going to be able to provide a button that allows you to reset that special key, which will log you out on all devices. It's also hashed with your account password, meaning if you change your password everyone will be logged out of your account immediately.

Finally, it's hashed with a top secret Subeta key, that we will rotate on a secret basis.

Password Update

As part of all of these changes, the encrypted password for your account on Subeta is woefully out of date. We've been able to implement this system in a way that it takes priority over the former system, which means we don't need to rotate every password on Subeta immediately. You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated.

Login Update

You'll get a very annoying notice at the top of the page letting you know that you're logged in through the old method (with an old cookie), and that we'd appreciate it if you went over to auth.subeta.net and log in. It'll still read that old cookie, but we aren't going to be supporting this old system for long. This is different than needing to update your password, this is the temporary cookie that stores your account information in your browser. Very easy to fix by just logging in on auth.subeta.net. Remember to put in the email address for your account, not your username! You can check which email address you have set for Subeta at https://subeta.net/preferences.php?act=profile.

Thank you 🙏

Thank you for your patience while the authentication system crumbles and you're constantly being asked to log in to an account you're logged in to. I'm hopeful that this is the last major change we need to make to accounts (🤞), since we've made the hard choice to build it up from the ground instead of adding more duct-tape.

July 25, 2022, 10:55 pm by

Since the banner is still lacking the link to log in directly, I am refusing to log in the "new" method.

July 25, 2022, 4:26 pm by

Totally locked out of my account on mobile now. I absolutely am entering in my correct username/email and PW beyond any shadow of a doubt and it literally will not let me log in AT ALL. It keeps saying everything is wrong. And the link on that log in page to what I'm assuming is this news post doesn't even work because you need to be logged in to view it...which you can't.

July 25, 2022, 8:24 am by

I was able to log in, FINALLY! I found out what was wrong, in case it helps someone else out there: I clicked 'forgot my password', had to wait a bit but the mail was sent (to spam), then I reset my password (it wasn't possible before because it said the password was weak, that's how I found out, and when the password said "strong", then I was able to click 'reset'). After I reset the password, it worked, I could log in just fine.

Just in case it helps someone that was having the same issue with invalid username/e-mail/password like me.

July 25, 2022, 5:08 am by

...oops... obviously comment got through in spite of the 504 ? weird...

July 25, 2022, 5:06 am by

logging in with username doesn't work, either - "invalid" message

...getting 504's here on the comments repeatedly

July 25, 2022, 5:05 am by

logging in with username doesn't work, either - "invalid" message

July 24, 2022, 9:59 pm by

Everyday i keep getting the "You're logged in to Subeta using the old method, and we'd appreciate you switching to the new method. Check out the news post here for more details." Do I have to sign into the Auth version everyday?

July 24, 2022, 8:54 pm by

Finally got it to work.

July 24, 2022, 8:39 pm by

Thank you for fixing it so quickly. I was able to use my username to log in and find out that the email I used to sign up was one I hadn't used in years.

July 24, 2022, 4:25 pm by

When I put my email and password to try log into the new system it says that my username cannot be found

July 23, 2022, 6:55 pm by

Yes, sorry about that! We were trying to put in the option to log in with username instead of just email. The page should be working again, although username log-in will have to wait for another day. Thank you for letting us know!

July 23, 2022, 5:13 pm by

I get a blank page when I go to do the new log in.

July 23, 2022, 5:08 pm by

I also get a blank page when I want to log in, my workaround is to press the ESC key before it turns white lmao. 😭

July 23, 2022, 4:54 pm by

https://auth.subeta.net/auth/login

Blank white page.

Windows 10, latest Opera browser.

July 23, 2022, 4:24 pm by

The plan right now is to make it the default log-in page on Monday (with a username option, not just email address), and either a link to this newspost on it or a separate page with the information. I'm also trying to make sure we have the reminder/address to email support for assistance as well.

July 23, 2022, 1:31 pm by

It says I'm still on the old system when I did change to the new one on my laptop. Ah well lol

July 23, 2022, 12:39 pm by

I just wanna say I think the timing of subeta doing this update that will require updating our passwords while neopets has an active security breach is really funny to me

July 23, 2022, 10:19 am by

It would be appreciated to have a direct link in the banner to the new authentication page as many of us have already read the text and don't want to search every single time to find the link.

July 22, 2022, 10:46 pm by

I'm having the issue where I log in via the new way on mobile, navigate to something else and come back and I get the banner again saying I need to log into the new way. Can we please get a button on the sidebar so I don't have to scroll to the bottom of the news post to relogin?

July 22, 2022, 6:00 pm by

Everything worked just fine for me when I switched over the other day~ Big thanks to staff for keeping this place going & helping to keep the users safe & secure. ❤️

Anyway, here's a list of what seems to be commonly asked questions, in one spot, with big, bolded bits, for your skipping-er viewing pleasure. ;)

How do I check / change which email I used?

Email Check And Change Info

Hover the Personal tab, Dashboard, Profile https://subeta.net/preferences.php?act=profile

If you need to change your email:

Type your email here.
Then, click this button.

You have to submit the new email on this page by clicking the button. Otherwise the site cannot know you made a change.

If, for some reason, the page did not save / keep the change AFTER you have clicked the button, try using another internet browser (try to use a common and widely used browser).

If that does not work either and you are still logged in? File a Ticket and get assistance: Hover the Subeta tab, Tickets https://subeta.net/tickets.php

How can I login the old way? (to check / change email, etc)

Old Login

Be logged out.

Go to a site page: https://subeta.net/shop.php?shopid=2 (other pages also work.)

Use your username and log in with whichever password you use when logging in with your user name.

I cannot remember my password / it says my password is incorrect?

Password Problems

Are you using the correct password? It is good to carefully check, because that is an easy mistake to make.

The password reset works for the new login. https://auth.subeta.net/auth/forgot-password

You can try that, if you both know and have access to whichever email you have on your account. You can check which email you have on your account like this: Hover the Personal tab, Dashboard, Profile https://subeta.net/preferences.php?act=profile

The email you receive will look like this. (but will say your name instead.) You may need to check your spam, if you do not see it in your inbox.

I can't log in either way!

Please Remain Calm

Please double check your password one last time. Is your caps lock key on? Num pad on? The old way needs your username and that password. The new login needs your email instead.

You can also try using a DIFFERENT BROWSER than your normal one (and try to use a common and widely used browser too.). For some people, that helped.

Please check if you are logged in to your account anywhere else. Check: Phone? Computer? Tablet? etc.

If that does not work, contact staff via email. There is a Contact Us link on the bottom of most pages: https://subeta.net/contact.php [email protected]

Do I need to change my password now?

No. "You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated."

Do I have to use Two-Factor Authentication?

No. 2FA is only you want to use it and it is not available yet. (but you really should consider using 2FA for any account you care about that offers it.)

Why are there so few users online?

Pretty sure users logged in the new way are not included in the online count. For example, the "Last Seen" section of user profiles does not update for users logged in the new way. (I'm sure it will be fixed in the future.)

July 22, 2022, 2:50 pm by

Anyone that has logged in just to do the BH would've seen the former news post about how they were going to implement this change. I saw it and read that it would be for later, so I dismissed it. There's been an active forum thread about making sure your sign up email address was up to date since then, for a month now. Fortunately I still use mine as I've gotten used to using multiple emails for a variety of things.

This news post was too convoluted. Honestly, most of it could've/should've gone in a "tech post" in Site Updates. I don't know why everyone was trying to change their password at the time of this post b/c it specifically said -

Quote

You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated.

To check what the original email is, go to the dropdown menu of Personal and then select -> Dashboard-->Profile. There it is.
The original link in the news post works with your old email and and old password so if you want to get rid of the message, sign in that way (under a separate tab if you think you'll get locked out) and you should be fine. In the meantime, if your email is outdated then you should probably update it AFTER you use the new authentication https://auth.subeta.net With them switching the mail servers, I think that was part of the issue (that was many, many comments ago.)

To those that said it should've been a sticky, sidebar or whatever - MOST DEF agree. A step by step process, in most cases, that leaves out the how's and why's and just tells you what to do.

There is no need to update your password at this time so that's the first thing to pay attention to. The second is to login as normal, even w/ your outdated email (since you won't get an email asking you to verify it's you at this time), through the https://auth.subeta.net . Once logged in normally with your new cookie, you shouldn't have a problem changing your email address via the above route in Dashboard/Profile.

July 22, 2022, 2:11 pm by

I can not log in the new way when I use my username and password it says email not correct I made this account forever ago I am not sure of the email I used ><

July 22, 2022, 1:58 pm by

okay thank you for the info! also apologies if it was mentioned in the news article and I managed to miss it somehow

July 22, 2022, 12:49 pm by

I appreciate that they did, but I wasn't on Subeta at the time when they posted it. News posts get buried pretty quickly. If they could pin it up in some way (eg banners, on the sidebar in the front page such as below the staff forum post), that would make it less likely for users to miss such announcements.

July 22, 2022, 12:46 pm by

Keith's link doesn't work for me when I'm not logged in (which is the problem). As for the news post, that seems pretty dependent on people being around at the right time to see the post (which I did not get the chance to see). If possible, it would have been better to see it pinned as a banner or on the side bar of the front page.

July 22, 2022, 11:51 am by

In the banner that asks people to log in using new method, please put a link to directly log in... instead we are redirected here, have to search through a bunch of text to find the link. I had already read the text... I don't want to have to search every single time to find the link.

Also, please keep in mind that many people use autofill for passwords so it's easier to forget when we don't constantly use it. I actually had to go retrieve it in my browser settings, use another password to let me see the passwords for sites, etc. It was complicated to say the least. I understand it's a necessity to change but for those that have emails, it might be good to have an auto email to remind the people what their password is or an option to send an email with a temporary password to allow people to reset passwords.

July 22, 2022, 11:47 am by

I'm having trouble with the wardrobe! I'm getting the spinning wheel of death and had to log in to it separately from Subeta. When I do click on it from the drop down tab on the site it says I must be logged in to view the wardrobe.

July 22, 2022, 11:36 am by

i had a hard time trying to log into my account because my account didnt have a email set to it, luckily i found the old site link. please introduce a user log in link until the email link works correctly :)

July 22, 2022, 10:07 am by

It just keeps saying invalid email for me...

July 22, 2022, 9:57 am by

well I've tried everything and it still says my email is invalid. so sad

July 22, 2022, 9:35 am by

... I will wait with everything until everything works without problems... we know that changes here have never run smoothly immediately... also i don't want to log out and then have to stand in front of the door...

July 22, 2022, 8:53 am by

https://subeta.net/preferences.php?act=profile

I was just able to update my email address here. I just clicked on the "submit your profile" button on the bottom and it seems to have taken it without issue. Is there an autofill thing that keeps changing it back maybe?

July 22, 2022, 7:42 am by

Judging by the drop in the number of users online — I assume some of them can't log in anymore — what I would suggest is to put a disclaimer about the password reset on that new method login page, and a temporary link to the old method login page so people can log in as before and check their email address in the Prefs page... Or something like that, I'm no UI/UX designer lol! At this moment, the password reset suggestion (which fixed it for me) is buried in the comments and the link to the news post on that auth.subeta.net main page seems incorrect.

July 22, 2022, 3:11 am by

if you log in with your email through that link, are you fine then until the site tells us we have to update our passwords?

July 22, 2022, 3:11 am by

if you log in with your email through that link, are you fine then until the site tells us we have to update our passwords?

July 21, 2022, 11:57 pm by

Trying to change my email before I do the new log in. I type my new email address into the profile section but it keeps showing up with the old one that has not been used in 10 years. Am I doing something wrong?

July 21, 2022, 11:45 pm by

Well OBVIO I was the Dumbe one then thinking we'd get at least a 24h notice/reminder of a post buried in the news from one month ago.

July 21, 2022, 7:13 pm by

Made sure I was logged in the new way as soon as this went up. And now I'm getting the same pop up that I'm logged in the old way?

July 21, 2022, 7:05 pm by

Got everything to work fine for me on the first try!

I work in chat/email based site support and opening the comments to this newspost sent me straight into nightmareland. Hope all goes smoothly! 💀

July 21, 2022, 5:40 pm by

I saw the amount of users today and was shook ; 3 ; hope everyone was able to log back in

July 21, 2022, 5:34 pm by

Did anyone else notice that the image is Wheatley mixed with a turret from "Portal 2"?

July 21, 2022, 4:42 pm by

You'll be able to decide on the 2-factor authentication, you don't have to do it just yet. You also don't have to change your password just yet.

Understandable, please just get to it when you can! We will be working on issues as well over time and will let people know before we stop supporting the old authorization system.

July 21, 2022, 4:25 pm by

After reading all this not yet comfortable making the change with the issues. Have a couple things going on that I'm involved in and would hate to get locked out and not be able to finish them.

July 21, 2022, 4:18 pm by

... is it a must to do the 2 way authentication and change PW or can i decide that myself... ? .. i have the note on the side that i am still logged in the old way, but since the new one doesn't seem to work i will stay with it until it all runs stable....

July 21, 2022, 4:08 pm by

Okay I ended up filing a ticket because it just doesn't work for me.

July 21, 2022, 3:51 pm by

2-factor authorization is going to be voluntarily, you won't have to bother with a phone app or anything unless you want to.

It should be back up, Keith was fixing something quickly! He wants to make sure this works, not just dump the code once.

@[ashen.glaze] I did make a news post last month, and Keith's second comment on this post down at the bottom was showing someone where they could check the email for the account.

You will have to set your password again in the future, but if you change it from your old one to something new you can reconfirm the new one when we do the reset!

Try requesting an email for a password reset? If that doesn't work, please file a ticket!

July 21, 2022, 3:32 pm by