🔒 Security / Authentication Update

July 20, 2022 12:12 pm

Over the last few months, the tape holding together our aging authentication system has started to fall and really show its age. You've probably been redirected to the login screen while trying to do anything, not been able to get the wardrobe or forums to load, and sometimes felt that it’s completely broken.

So instead of adding more tape to the system, we're introducing a centralized authentication site that'll handle logging you in across Subeta. Clicking on any login or logout button from this site or new Subeta should redirect you to https://auth.subeta.net, where you can log in.

I want to talk through a few of the benefits directly, and we'll be discussing this more in the coming days. As part of this change, we will be removing PIN protection but will be offering 2FA (getting a code sent to your email or phone) as soon as possible.

Benefits

Central source of truth

auth.subeta.net has one mission: account management. That's it! We're going to move registration there as soon as possible, with an avatar builder and pet creation, but its only job is account management.

You've probably noticed when clicking on a link to login with Google that you're taken to a non-google domain (sometimes youtube) where you log in, and it redirects you. That is the centralized account management service, doing the important work behind the scenes and then sending you to the website you're trying to use and saying "This user is all good, I've verified them!".

2022 Encryption Method

The method used to encrypt Subeta passwords in our database is from PHP 5.7. We're now using PHP 8.1 on all of our servers. We have to include a special package in our PHP installation to have access to the 5.7 hashing methods.

We encrypt your cookie and decrypt it on the server, and the key is what tells the site that you're valid and not using some fake credentials.

This new management system uses modern hashing which are impossible (as much as anything is impossible) to crack. And they give us the benefit of...

User-based Keys

Each cookie (what we set in your browser to say who you are) is salted with a special key that is unique to your account. We're going to be able to provide a button that allows you to reset that special key, which will log you out on all devices. It's also hashed with your account password, meaning if you change your password everyone will be logged out of your account immediately.

Finally, it's hashed with a top secret Subeta key, that we will rotate on a secret basis.

Password Update

As part of all of these changes, the encrypted password for your account on Subeta is woefully out of date. We've been able to implement this system in a way that it takes priority over the former system, which means we don't need to rotate every password on Subeta immediately. You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated.

Login Update

You'll get a very annoying notice at the top of the page letting you know that you're logged in through the old method (with an old cookie), and that we'd appreciate it if you went over to auth.subeta.net and log in. It'll still read that old cookie, but we aren't going to be supporting this old system for long. This is different than needing to update your password, this is the temporary cookie that stores your account information in your browser. Very easy to fix by just logging in on auth.subeta.net. Remember to put in the email address for your account, not your username! You can check which email address you have set for Subeta at https://subeta.net/preferences.php?act=profile.

Thank you 🙏

Thank you for your patience while the authentication system crumbles and you're constantly being asked to log in to an account you're logged in to. I'm hopeful that this is the last major change we need to make to accounts (🤞), since we've made the hard choice to build it up from the ground instead of adding more duct-tape.

July 21, 2022, 3:11 pm by

If anyone is having trouble, change your old password and double check to see if your email is still working. I did both, as someone mentioned earlier in the thread and it worked.

July 21, 2022, 3:08 pm by

after using right site the login i got this :

Server Error... Application Error ... This application failed to respond

good that this site is loyal to their faults... sigh

July 21, 2022, 3:07 pm by

Can anyone help me here? I know my email address is correct, but it keeps telling me wrong email or password and I've been using it for the past year with no problems :/

July 21, 2022, 2:44 pm by

.glaze Staff did an announce last month regarding having your email up to date.

July 21, 2022, 2:30 pm by

Really would have liked some sort of headsup before implementation so that I could actually check which email I'd used to sign up.......... over 10 years ago. That is an email I have not touched in years, have completely forgotten about in context re Subeta. And since I don't show my email in my profile, that's no help either. As it is, I'm lucky I was able to guess right, because otherwise I wouldn't have been able to log in at all.

@ staff/Keith, next time you implement a security measure like this, please give us advance warning so we can prepare. Not everyone stays signed in, and not everyone remembers what email they signed up with.

July 21, 2022, 2:28 pm by

please tell me we aren't going to have to download and fight with one of those authenticator phone apps that generate one of those stupid codes you have to put in

July 21, 2022, 2:22 pm by

finally worked for me!!! had to go into my profile and change my email address (forgot about the fact that everything i use now is connected to Google lol!!) and once I did it in the old system on my phone it worked!!!

July 21, 2022, 1:46 pm by

There's no midnight deadline or anything.

You don't have to change it now, although if it's an older, re-used, or weaker password now might be a good time. We'll put out another notice when we are completely resetting passwords.

If you're still having trouble when you try again, please file a ticket!

You're not going to lose your account! This is about keeping your data safe and making log-in and authorization a more cohesive process.

Thank you for the details! I'm seeing a few other people mention issues as well across devices, and Keith is going to take another look today.

July 21, 2022, 1:20 pm by

"Invalid email or password" Email is the one on my profile and my password is correct. I tried on Safari, Firefox and Chrome.

July 21, 2022, 1:01 pm by

Given the massive data breach over on Neopets, this is not only welcome news, but a refreshing difference in how pet sites are managed. Thank you for being direct, up front, and letting everyone know EXACTLY what is going on, what will be changing, and why. This is the sort of staff response that all game/pet sites should have!

July 21, 2022, 12:51 pm by

Any new suggestions for us, who are not successful?

July 21, 2022, 12:42 pm by

Ahaha, very good timing for this in light of the neopets data breach.

July 21, 2022, 12:25 pm by

where's neugarten

July 21, 2022, 12:07 pm by

Update: I tried it on Chrome as well. I also added https://auth.subeta.net to my whitelist as well. Still get Invalid email or password

July 21, 2022, 11:56 am by

Invalid email or password*

I have triple checked my email address. Its still my same valid one & I have never changed my e-mail for Subeta. I can log on with my username & old password. I can't get logged on with the https://auth.subeta.net link at all. I even reset my password and still no go. I am using my old login & password, until this is resolved Ill keep on with the old way of logging in and playing. I am using Firefox on my PC.

July 21, 2022, 10:59 am by

Woo! It works. I was someone who initially didn't get the email to reset password, so if anyone was having that issue, it's working (for me) now. Maybe give it another shot?

July 21, 2022, 10:04 am by

Thank you for the update. I signed in last night with no problem. Just hope it keeps working correctly and there aren't any more problems. Appreciate the information.

July 21, 2022, 9:49 am by

I tried using it but it doesn't work for me. It says I don't exist!

July 21, 2022, 9:24 am by

I cleared my cookies on both Chromebook and phone browser. Used the new login on both devices and the message at the top of the screen went away. When I came back on phone browser the new login message was back on top of the screen. I'm able to play the site so I'm not stressed but it is a worry since it's acting like I'm still on old cookie and login.

Using Chrome browser on Chromebook. Edge browser on Android phone.

July 21, 2022, 9:17 am by

I am impressed - at least from my experience this is the most seamless rollout I have ever seen for account/authentication updates.

July 21, 2022, 9:15 am by

I waited until now to touch this since so many people were having problems and I was able to log in on my phone and desktop without issue (at least, none that I have detected so far). Just saying this for anyone else who may still be hesitant to try.

Thanks for working to keep us secure, Subeta!

July 21, 2022, 9:01 am by

Once I found where I can find my email I used to sign up (located in Preferences) I was able to sign in with now problems so far.

July 21, 2022, 8:54 am by

Disregard, I think I'm at the Legacy Site.

July 21, 2022, 8:49 am by

It doesn't recognize my email address at the new authentication site.

July 21, 2022, 8:29 am by

Interestingly I initially got the "invalid password" error, but being the stubborn old bat that I am, I called the system a few choice names and smashed the enter/next/whatever button anyway. It let me in without any further problems. :)

July 21, 2022, 7:32 am by

Everything has worked for me so far. I relogged in on my work computer and on my home laptop, both Mac's and both using Chrome. My desktop at work said invalid the first time but worked the second time, I waited like no time in-between attempts. I don't know if this information helps at all but I figured I'd share incase it did lol

July 21, 2022, 7:26 am by

Hi :) Everything has worked fine for me so far, but I was wondering if we were being encouraged to go ahead and change our passwords or if we should wait until you guys tell us it's time?

July 21, 2022, 6:34 am by

Judging by the measly number of users online, a lot of people have successfully locked themselves out of Subeta :-(

July 21, 2022, 5:34 am by

Invalid email or password Fortunately

I tried on my fairly useless, tiny, slow, garden/vacation meant notebook.
I still had another Subeta window open, a random link of which opened up the old login page - which let me in
old login still possible & works

I have never in all those years changed my e-mail for Subeta. Obviously the password I tried numerous times, is correct. I did add https://auth.subeta.net to my very few allowed cookies.

July 21, 2022, 5:22 am by

so weird how we get this news on the same day as neopets' data breach. yet another reason why subeta is superior 😝

July 21, 2022, 3:47 am by

I've logged in 2 times with new method but when I go to another page the message is still on top saying I'm using the old one

July 21, 2022, 3:00 am by

cant see the games tab?

July 21, 2022, 2:57 am by

it's saying my password or email is invalid, been trying but still getting messageat the top, will I loose my account so worried ..

July 21, 2022, 2:42 am by

Managed to log in with the new system yesterday and the banner disappeared. Came on this morning to see the banner again telling me I'm logged in under the old system.

July 21, 2022, 1:42 am by

Notice that we needed up-to-date email addresses for this process was posted a month ago : News post

July 21, 2022, 1:11 am by

Is it important to long in that way before midnight?because if so then I already failed

July 21, 2022, 12:52 am by

Just out of curiosity.. Ever hear about giving people fair warning? or SOME KIND OF FN' notice? I never stay logged in & I aint got a clue what my email is that I use on this site. I had to search around for anything that looks remotely familiar. 40min later here I am. But not from the new login. I signed in using the old page using my username/passwrd. I ll go look what my email is later. Do my head in

July 21, 2022, 12:15 am by

I'm not sure if I just typed my pw wrong the first time (unlikely, I'm slow and careful) but I also had the invalid email/pw error the first time. I refreshed the page and typed my pw again and it worked that time. Not sure if refreshing/trying more than once will help anyone having trouble.

July 21, 2022, 12:05 am by

Logged in to the new system, changed my password because it was due for a refresh anyways — worked like a charm across all my devices. Thanks! We love a good security/transparency update.

July 20, 2022, 10:31 pm by

Looks like I missed all the fun because I was able to reset my password, and it worked perfectly.

July 20, 2022, 9:37 pm by

Thanks for putting the link to the profile page here! I was trying to log in with my new email address which I changed a while back but couldn't, so when I checked my profile, I realized I had my old email address there! Updated it and fixed it so I could log in using the new method.

July 20, 2022, 9:31 pm by

I logged myself into the new system on my laptop, but I see it didn't change me to the new login on all my devices as I still have the message on mobile

July 20, 2022, 9:29 pm by

Great, thank you!

July 20, 2022, 9:15 pm by

So far so good- I logged into Subeta via the Authenticator site on my iPad first- then updated my PW and logged on using my phone. I’ll set it up on the laptop tomorrow! 👍🏻

July 20, 2022, 9:09 pm by

Well I kept getting logged out on chrome this time I couldnt log back in so I'm back on firefox and no troubles yet and the forums are working for me on firefox

July 20, 2022, 8:55 pm by

this change comes in a very interesting day. thanks for this update.

July 20, 2022, 8:14 pm by

One issue that I do have with the changing of the password system as it is currently is that it doesn't send a link or anything to your email to click on. It just allows you change the password. I also didn't receive any email stating that the password on my account was changed.

July 20, 2022, 8:09 pm by

Yeah, same as a lot of other people, it's saying my password or email is invalid, and won't send a reset email, and the email is definitely correct.

July 20, 2022, 8:02 pm by

thank you for working so hard with Subeta ;-; I love this website, am so happy and thankful for the people who keep it running <3

July 20, 2022, 7:47 pm by

could not change my password. logged in ok, but wanted to change password and the submit button is greyed out despite having all the rules followed and passwords matching. :( go to Dashboard then click Profile on the top tabs to find email.

Use @username to mention someone. Supports markdown formatting.

Logged Out

🔒 Security / Authentication Update

Leave a Comment