🔒 Security / Authentication Update

July 20, 2022 12:12 pm

Over the last few months, the tape holding together our aging authentication system has started to fall and really show its age. You've probably been redirected to the login screen while trying to do anything, not been able to get the wardrobe or forums to load, and sometimes felt that it’s completely broken.

So instead of adding more tape to the system, we're introducing a centralized authentication site that'll handle logging you in across Subeta. Clicking on any login or logout button from this site or new Subeta should redirect you to https://auth.subeta.net, where you can log in.

I want to talk through a few of the benefits directly, and we'll be discussing this more in the coming days. As part of this change, we will be removing PIN protection but will be offering 2FA (getting a code sent to your email or phone) as soon as possible.

Benefits

Central source of truth

auth.subeta.net has one mission: account management. That's it! We're going to move registration there as soon as possible, with an avatar builder and pet creation, but its only job is account management.

You've probably noticed when clicking on a link to login with Google that you're taken to a non-google domain (sometimes youtube) where you log in, and it redirects you. That is the centralized account management service, doing the important work behind the scenes and then sending you to the website you're trying to use and saying "This user is all good, I've verified them!".

2022 Encryption Method

The method used to encrypt Subeta passwords in our database is from PHP 5.7. We're now using PHP 8.1 on all of our servers. We have to include a special package in our PHP installation to have access to the 5.7 hashing methods.

We encrypt your cookie and decrypt it on the server, and the key is what tells the site that you're valid and not using some fake credentials.

This new management system uses modern hashing which are impossible (as much as anything is impossible) to crack. And they give us the benefit of...

User-based Keys

Each cookie (what we set in your browser to say who you are) is salted with a special key that is unique to your account. We're going to be able to provide a button that allows you to reset that special key, which will log you out on all devices. It's also hashed with your account password, meaning if you change your password everyone will be logged out of your account immediately.

Finally, it's hashed with a top secret Subeta key, that we will rotate on a secret basis.

Password Update

As part of all of these changes, the encrypted password for your account on Subeta is woefully out of date. We've been able to implement this system in a way that it takes priority over the former system, which means we don't need to rotate every password on Subeta immediately. You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated.

Login Update

You'll get a very annoying notice at the top of the page letting you know that you're logged in through the old method (with an old cookie), and that we'd appreciate it if you went over to auth.subeta.net and log in. It'll still read that old cookie, but we aren't going to be supporting this old system for long. This is different than needing to update your password, this is the temporary cookie that stores your account information in your browser. Very easy to fix by just logging in on auth.subeta.net. Remember to put in the email address for your account, not your username! You can check which email address you have set for Subeta at https://subeta.net/preferences.php?act=profile.

Thank you 🙏

Thank you for your patience while the authentication system crumbles and you're constantly being asked to log in to an account you're logged in to. I'm hopeful that this is the last major change we need to make to accounts (🤞), since we've made the hard choice to build it up from the ground instead of adding more duct-tape.

July 20, 2022, 12:42 pm by

So, email should be correct as I get the newsletters. Password is correct and it has special characters, numbers, capitalization. Yet invalid email/password at auth.subeta.net. Tried reset password - I'm still waiting for the email. Anything else I am supposed to do?

July 20, 2022, 12:42 pm by

My password and/or email is somehow incorrect even though I double checked.

July 20, 2022, 12:42 pm by

Same thing here, can't log in, PW reset not working. Checked, using correct email.

July 20, 2022, 12:42 pm by

Mine worked fine???

July 20, 2022, 12:41 pm by

if it takes me to another site, how can I be sure that site is safe to login in with other sites being fake but looking authentic and those sites are doing phishing?

July 20, 2022, 12:40 pm by

Yeah, same as a lot of other people, it's saying my password or email is invalid, and won't send a reset email, and the email is definitely correct.

July 20, 2022, 12:40 pm by

not working for me. keeps saying invalid email and will not send the reset email ... it's the same email i have used for years and gotten emails from subeta before.

July 20, 2022, 12:40 pm by

Ditto with everyone else - I checked my email address and password to confirm that they're correct. I did actually just reset my password, got booted off the site, and was unable to login through the new system - but able to log in with the old one.

July 20, 2022, 12:40 pm by

I have to say I´m not a fan of anything centralized, these days, really.

Is that an external site?

July 20, 2022, 12:38 pm by

I just changed my old password to a new one, and it still says incorrect. I'm sure I used the correct email and password. Now I'm stuck on mobile 🙃

July 20, 2022, 12:38 pm by

Changed my email address a while back, went to login on new thing and says password is wrong. Went to reset password and haven't gotten an email to reset it. :(

July 20, 2022, 12:38 pm by

The "Reset Password" button is greyed out for me, although my new password meets the requirements. 🤔 I hope I won't be logged out anytime soon, otherwise I'm in big trouble!

July 20, 2022, 12:37 pm by

Not working for me, it's saying the email or password is wrong, but I did just log in using the same password. Is there any way to check if there is soome other email associated with the account? Never needed anything but a username before.

July 20, 2022, 12:37 pm by

Says invalid email

July 20, 2022, 12:36 pm by

Glad i'm not the only one having issues >_>; Not accepting my login, and not sending me a reset pw. 🤷

July 20, 2022, 12:36 pm by

What in the name of...0.0;;

July 20, 2022, 12:35 pm by

It's saying my password is wrong... it also will not email me a reset link and i'm using the same email that's in my preferences.

July 20, 2022, 12:35 pm by

I tried to do it and it said my password was invalid. I changed my password, it tells me the email is invalid. What do I do?

July 20, 2022, 12:34 pm by

I followed the link to auth.subeta.net. and tried to log in but was told "Invalid email or password"

July 20, 2022, 12:32 pm by

Resetting password managed to work for me!

July 20, 2022, 12:31 pm by

It says to me, "Invalid e-mail or password", I even changed my PW today to make sure it was correct, and the e-mail I'm using is the same on my profile, I don't get what's wrong. ):

July 20, 2022, 12:30 pm by

Quick question though, if we changed our password now will we still have to change it again soon like was mentioned in the news post?

July 20, 2022, 12:30 pm by

Resetting the password didn't work for me. :(

July 20, 2022, 12:30 pm by

wanted to use my old pass to log in too, had no choice but to reset it using the new site as it didn't take my old one. hopefully the new site solves the problem for some people not being able to do stuff cause they're constantly getting logged out!

July 20, 2022, 12:27 pm by

I also was having trouble logging in at first, but resetting my password worked (I was also using kind of an old and weak password that didn't meet the conditions of the new system).

I'm not seeing the banner at the top anymore either.

July 20, 2022, 12:26 pm by

Scratch that - its gone now ^_^

July 20, 2022, 12:26 pm by

I'm having the same problem, too. I am very certain I'm using the right password and e-mail.

July 20, 2022, 12:26 pm by

I might need to reset my password too but that's not a hassle I'm doing on my phone. That can wait a few hours.

July 20, 2022, 12:24 pm by

I'm also getting the message that i'm using the old cookie still even after clearing all cookies and logging in fresh using the new auth.subeta.net website

July 20, 2022, 12:23 pm by

It is still saying I'm logged in via old system at the top of the page, though

July 20, 2022, 12:22 pm by

Resetting password worked. I think it was because I didn't have a special character in my old password, so wouldn't be accepted under the new security requirements for a strong password?

July 20, 2022, 12:19 pm by

Yeah, ot having any luck logging in either.

July 20, 2022, 12:19 pm by

I'll take a look, but in the meantime you can do a password reset on https://auth.subeta.net!

July 20, 2022, 12:17 pm by

It's saying my password is incorrect, even though I'm using the saved password on my browser .... Tried every email I own, and even changed it under dashboard -> profile -> email.

July 20, 2022, 12:17 pm by

thanks!

July 20, 2022, 12:16 pm by

You can see your email here:https://subeta.net/preferences.php?act=profile

July 20, 2022, 12:14 pm by

I click on the link and it says enter email. What happens if you forgot the email you used? Is there a way we can look it up? If not, would there be an option for username??

Use @username to mention someone. Supports markdown formatting.

Logged Out

🔒 Security / Authentication Update

Leave a Comment