🔒 Security / Authentication Update

July 20, 2022 12:12 pm

Over the last few months, the tape holding together our aging authentication system has started to fall and really show its age. You've probably been redirected to the login screen while trying to do anything, not been able to get the wardrobe or forums to load, and sometimes felt that it’s completely broken.

So instead of adding more tape to the system, we're introducing a centralized authentication site that'll handle logging you in across Subeta. Clicking on any login or logout button from this site or new Subeta should redirect you to https://auth.subeta.net, where you can log in.

I want to talk through a few of the benefits directly, and we'll be discussing this more in the coming days. As part of this change, we will be removing PIN protection but will be offering 2FA (getting a code sent to your email or phone) as soon as possible.

Benefits

Central source of truth

auth.subeta.net has one mission: account management. That's it! We're going to move registration there as soon as possible, with an avatar builder and pet creation, but its only job is account management.

You've probably noticed when clicking on a link to login with Google that you're taken to a non-google domain (sometimes youtube) where you log in, and it redirects you. That is the centralized account management service, doing the important work behind the scenes and then sending you to the website you're trying to use and saying "This user is all good, I've verified them!".

2022 Encryption Method

The method used to encrypt Subeta passwords in our database is from PHP 5.7. We're now using PHP 8.1 on all of our servers. We have to include a special package in our PHP installation to have access to the 5.7 hashing methods.

We encrypt your cookie and decrypt it on the server, and the key is what tells the site that you're valid and not using some fake credentials.

This new management system uses modern hashing which are impossible (as much as anything is impossible) to crack. And they give us the benefit of...

User-based Keys

Each cookie (what we set in your browser to say who you are) is salted with a special key that is unique to your account. We're going to be able to provide a button that allows you to reset that special key, which will log you out on all devices. It's also hashed with your account password, meaning if you change your password everyone will be logged out of your account immediately.

Finally, it's hashed with a top secret Subeta key, that we will rotate on a secret basis.

Password Update

As part of all of these changes, the encrypted password for your account on Subeta is woefully out of date. We've been able to implement this system in a way that it takes priority over the former system, which means we don't need to rotate every password on Subeta immediately. You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated.

Login Update

You'll get a very annoying notice at the top of the page letting you know that you're logged in through the old method (with an old cookie), and that we'd appreciate it if you went over to auth.subeta.net and log in. It'll still read that old cookie, but we aren't going to be supporting this old system for long. This is different than needing to update your password, this is the temporary cookie that stores your account information in your browser. Very easy to fix by just logging in on auth.subeta.net. Remember to put in the email address for your account, not your username! You can check which email address you have set for Subeta at https://subeta.net/preferences.php?act=profile.

Thank you 🙏

Thank you for your patience while the authentication system crumbles and you're constantly being asked to log in to an account you're logged in to. I'm hopeful that this is the last major change we need to make to accounts (🤞), since we've made the hard choice to build it up from the ground instead of adding more duct-tape.

July 20, 2022, 7:32 pm by

Will do, thank you for your help!! :)

July 20, 2022, 7:27 pm by

Please file a ticket, then! If it's something that needs patching or there are more troubleshooting steps we can do, the ticket is going to be the best way to have the info handy and follow up.

July 20, 2022, 7:25 pm by

Yes, it is the same Email

July 20, 2022, 7:23 pm by

Hmm, a little trickier then...is it the same one that you have listed on your https://subeta.net/preferences.php?act=profile?

July 20, 2022, 7:20 pm by

Yes, I am putting my email.

July 20, 2022, 7:19 pm by

As a reminder for people, unique passwords are going to be the best way to protect your account! If your current password is the same as another site, now would be an excellent time to change it to something you don't use anywhere else. Or, if you are taking the opportunity to make a new one, don't re-use it on other pet sites.

July 20, 2022, 7:15 pm by

Make sure you're putting in the email address, not just your username.

July 20, 2022, 7:14 pm by

2FA will be voluntary, just like PINs were!

July 20, 2022, 7:11 pm by

It's not working for me on Ipad or Windows computer. Both are saying invalid Email or password.

July 20, 2022, 7:10 pm by

finished, went smoothly for me :3

appreciate the work being put in ^_^

July 20, 2022, 6:43 pm by

I hope 2FA remains voluntary. I already have to have my phone with me to get any paid work done, I'd like to be able to put it down to play :)

July 20, 2022, 6:21 pm by

thank you for all the hard work you've all put in to address this issue. i'll keep my fingers crossed that this solution will stop all the insanity. 😂

July 20, 2022, 5:35 pm by

Thanks for all your hard work!!! I really appreciate how Subeta cares for its users safety - especially as That Other Site had yet another data breach TODAY! I hope it all works out smoothly.

July 20, 2022, 5:08 pm by

Will it be required to opt into 2FA?

July 20, 2022, 5:06 pm by

So wait, should we go ahead and change our passwords? Or should we wait until you guys tell us to?

July 20, 2022, 5:04 pm by

Would love to say it worked. I logged in the new way. And went back to my page five minutes and had to log in again.

July 20, 2022, 4:56 pm by

Even tho I cant get into the forums I'm happy to be back on chrome

July 20, 2022, 4:54 pm by

I couldn't login in on my mobile but my computer worked on my first try.

July 20, 2022, 4:53 pm by

You guys are fighting the good fight. Good luck wrangling everyone, explaining everything, and doing the boss battle with the code.

July 20, 2022, 4:41 pm by

I've been able to log in fine so far, but should I update my password now or wait???

July 20, 2022, 4:35 pm by

Make sure you're putting in your email address, not just your username, and that it matches the one you have listed at https://subeta.net/preferences.php?act=profile.

Select old/legacy Subeta on that screen!

July 20, 2022, 4:31 pm by

Thank you for your hard work! I'm always a fan of 2FA, looking forward to it.

July 20, 2022, 4:27 pm by

I haven't been asked to log in, but I am getting robot checked very often. It hasn't happened for a couple of days, so knock on wood.

">https://subeta.net/forums.php/read/926879/Anyone-else-constantly-getting-Are-you-a-robot-checked/1/

July 20, 2022, 4:22 pm by

I'm on chrome and was able to log in but the forums are not wanting to load I get this at the bottom of the loading If forums are loading infinitely, please make sure you are logged in on New Subeta.

Trying to read a staff post? Check our Admin Posts page if you are unable to load the forums.

July 20, 2022, 4:21 pm by

So where do I log in, to old subeta or new subeta? and if I log in one, is the other working? I so don't get it...or like it...

July 20, 2022, 4:11 pm by

What do we do if auth.subeta.net doesn't recognize the email address connected with our account?

July 20, 2022, 4:07 pm by

thanks honey, but for some odd reason it wanted me to type in my email. Don't know why. Everything was spell the same and correct. Thanks again honey ❤

July 20, 2022, 3:57 pm by

I'm all about cyber security lately! Thank you, Subeta!

July 20, 2022, 3:53 pm by

@-HyperBlossom- If you're having trouble logging in on mobile with the correct information, double tap the login and it should work.

July 20, 2022, 3:47 pm by

I personally think its great that Subeta is moving forward to better site protection 😍 I just wish I understood the technical aspects of it all 🤔 I have Asperger syndrome and sadly its not easy for my brain to understand things that I've never learned before.

July 20, 2022, 3:46 pm by

Thank you! Worked for me. Happy to see better security for logging in!

July 20, 2022, 3:45 pm by

That's strange. The login works on the desktop, but if I try to login with on my phone it doesn't take my email address.

July 20, 2022, 3:44 pm by

Older passwords may not be safe anymore: Neopets just today, for instance, had a major security incident with their entire database exposed. We just want to make sure we're keeping everyone's accounts safe. Go to https://auth.subeta.net and follow the directions to reset your password, make sure it's got a mix of capital letters and symbols and numbers to make it harder for other people to guess it! Choose 'legacy' when it gives you that option. The rest of it, the technical stuff, you don't need to worry about it. We just have the details there for people who are curious.

July 20, 2022, 3:41 pm by

Subeta has switched to a new, more secure login system that does a better job of making sure you're you and protecting your password from hackers. In the near future you will be asked to change your password just to make sure your account is safe. You will also be able to enable two factor authentication using SMS or an app for extra security if you'd like.

(I think that covers it for nontechnical stuff?)

July 20, 2022, 3:39 pm by

ok thanks for letting me know

July 20, 2022, 3:33 pm by

If someone takes your device, they can get into your accounts with saved passwords, yes. However, one of the things this change lets us do is provide a button that allows you to log out across all devices. So if you save your password on your phone but you lose it or someone steals it, you can use another device (your computer, a friend's computer or phone that you trust) to log out even if you don't have your phone.

July 20, 2022, 3:32 pm by

That worked flawlessly for me, I entered my email and password and was brought to a handy page where I got to choose to redirect to either Subeta 2.0 (where the wardrobe, CW market are held) or Legacy Subeta (where everything else remains so far). I can understand some of the hesitancy but I guarantee each and every one of y’all are constantly having your data sold by every company you purchase from, even the pharmacy. And I won’t even delve into all the ways our phones betray us. So please don’t allow a fear of new things to keep you away from this site. As Subeta moves into the future, so should we users.

July 20, 2022, 3:29 pm by

what.. ??? is there anyone here who can please translate this into german for a non-technical user...? ? the translator tells something about keys, baking and secret pages... ??? please via priv. message.... thank you, thank you... i didn't understand anything... i am happy when i get a plug into the socket without an accident and now so much technical...

July 20, 2022, 3:23 pm by

euh how does that work i never save passwords on my pc in the case it gets stolen and the thief can go in all my accounts then

July 20, 2022, 3:23 pm by

Bitwarden is a good free password manager if anyone is looking for one. It has a mobile app as well.

July 20, 2022, 3:22 pm by

I'm glad that I checked that I had a current email address about a month ago when this was first mentioned in a News post. It made logging in pretty simple. :-)

July 20, 2022, 3:21 pm by

It worked when I tried again.

July 20, 2022, 3:19 pm by

Can you save it in your browser, so you don't have to put it in all the time?

July 20, 2022, 3:12 pm by

i sadly problbly have to quit subeta now i'm autistic and really can't take to remember a new too hard to remember password with all the extra's

July 20, 2022, 2:57 pm by

It worked this time.

July 20, 2022, 2:56 pm by

Had to change my password in order to use the new auth site, but it wasn't the strongest, so understandable. Also wish it used username instead of email address for login, but that's not that big of a deal.

July 20, 2022, 2:54 pm by

@-HyperBlossom- It's totally cool and my pleasure to help, I'd rather get double-pinged than no notice at all.
You should be all set, then!

July 20, 2022, 2:51 pm by

I did change it though the preferences.php?act=profile so that should work fine. I'm just trying to make sure I understand everything right before I change my password. Sorry I hit the wrong button that's my fault again super sorry Galaxia

July 20, 2022, 2:48 pm by

July 20, 2022, 2:44 pm by

Worked fine on the first try.

Use @username to mention someone. Supports markdown formatting.

Logged Out

🔒 Security / Authentication Update

Leave a Comment