🔒 Security / Authentication Update

July 20, 2022 12:12 pm

Over the last few months, the tape holding together our aging authentication system has started to fall and really show its age. You've probably been redirected to the login screen while trying to do anything, not been able to get the wardrobe or forums to load, and sometimes felt that it’s completely broken.

So instead of adding more tape to the system, we're introducing a centralized authentication site that'll handle logging you in across Subeta. Clicking on any login or logout button from this site or new Subeta should redirect you to https://auth.subeta.net, where you can log in.

I want to talk through a few of the benefits directly, and we'll be discussing this more in the coming days. As part of this change, we will be removing PIN protection but will be offering 2FA (getting a code sent to your email or phone) as soon as possible.

Benefits

Central source of truth

auth.subeta.net has one mission: account management. That's it! We're going to move registration there as soon as possible, with an avatar builder and pet creation, but its only job is account management.

You've probably noticed when clicking on a link to login with Google that you're taken to a non-google domain (sometimes youtube) where you log in, and it redirects you. That is the centralized account management service, doing the important work behind the scenes and then sending you to the website you're trying to use and saying "This user is all good, I've verified them!".

2022 Encryption Method

The method used to encrypt Subeta passwords in our database is from PHP 5.7. We're now using PHP 8.1 on all of our servers. We have to include a special package in our PHP installation to have access to the 5.7 hashing methods.

We encrypt your cookie and decrypt it on the server, and the key is what tells the site that you're valid and not using some fake credentials.

This new management system uses modern hashing which are impossible (as much as anything is impossible) to crack. And they give us the benefit of...

User-based Keys

Each cookie (what we set in your browser to say who you are) is salted with a special key that is unique to your account. We're going to be able to provide a button that allows you to reset that special key, which will log you out on all devices. It's also hashed with your account password, meaning if you change your password everyone will be logged out of your account immediately.

Finally, it's hashed with a top secret Subeta key, that we will rotate on a secret basis.

Password Update

As part of all of these changes, the encrypted password for your account on Subeta is woefully out of date. We've been able to implement this system in a way that it takes priority over the former system, which means we don't need to rotate every password on Subeta immediately. You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated.

Login Update

You'll get a very annoying notice at the top of the page letting you know that you're logged in through the old method (with an old cookie), and that we'd appreciate it if you went over to auth.subeta.net and log in. It'll still read that old cookie, but we aren't going to be supporting this old system for long. This is different than needing to update your password, this is the temporary cookie that stores your account information in your browser. Very easy to fix by just logging in on auth.subeta.net. Remember to put in the email address for your account, not your username! You can check which email address you have set for Subeta at https://subeta.net/preferences.php?act=profile.

Thank you 🙏

Thank you for your patience while the authentication system crumbles and you're constantly being asked to log in to an account you're logged in to. I'm hopeful that this is the last major change we need to make to accounts (🤞), since we've made the hard choice to build it up from the ground instead of adding more duct-tape.

March 8, 2026, 11:05 am by

Hello, I know this is an old post but I've just been asked for my pin while trying to log back in on Subeta Legacy, obviously whatever I tried to enter didn't work and it was a bit of a scary moment 😅

March 15, 2024, 6:31 am by

Thanks for this information

May 28, 2023, 9:17 pm by

@geometry dash I am also having the same problem. Has anyone got a solution for the above problem?

May 28, 2023, 9:11 am by

hooray for updates <3 congratulations!

March 9, 2023, 4:57 am by

I, too, had problems getting in at first, but after changing my password (which was, admittedly, a little antiquated and weak), I was able redactle to access the system once again.

January 27, 2023, 1:38 am by

Hey, Keith it’s me, Dela.. you know the the person you hate so much that you removed Keith day a long time ago, very sorry about that but Amber banned me and she didn’t even know I didn’t have a alternative account on here!

August 24, 2022, 7:50 pm by

I can't log in through the new log-in page. I just get constant errors even though I know my information is correct.

August 12, 2022, 10:10 am by

Why do I have to keep logging back into it the new way? Seems like every other day, and it's starting to get very annoying.

August 10, 2022, 10:54 pm by

🔒 You're logged in to Subeta using the old method, and we'd appreciate you switching to the new method. Check out the news post here for more details.

LOL NO, WHY I have logged into the new method so many times now! I never log out before I get this message, if this helps lol.

August 6, 2022, 10:30 am by

I get this message every day, sometimes multiple times a day. I log in the new way every time but it never stays. This page keeps taking longer and longer to load as well. Any advice or should I just resign myself to permanently playing with this stupid message on every page?

August 5, 2022, 11:16 pm by

I appreciate better security but I AM logged in using the new method. I've done it twice now and I just got the message again. Can we get some clarification on why this is happening?

August 5, 2022, 3:06 pm by

I am also continually getting a message that my username or password is invalid. I know after 25 times I'm entering them correctly. :(

August 5, 2022, 1:39 am by

HOW MANY times are we going to have to keep logging in via the link above before it finally sticks? If we've done it once, do we have to keep doing it over and over and over and over...or can we just ignore the notification that we get? This will be the 4th or 5th time I'm doing this. I'm sure people would like to know via an announcement that if you've done it at least once, you don't have to keep doing it (if that is the case).

August 2, 2022, 2:19 pm by

Trying to use the new method, the site won't even let me log in.... so old method is the only way I seem to be able to access my account.

August 1, 2022, 4:38 pm by

Given what happened with a certain other petsite recently, I appreciate Subeta's efforts to try and keep things moving forward before anything bad can happen.

July 29, 2022, 10:30 pm by

I'm gonna continue using the old method until I get told I can't or it gets fixed I'm tired of it changing to You're logged in to Subeta using the old method everytime I open the page back up

July 29, 2022, 8:25 pm by

I have logged in using the new method as requested every time I have been on the site since the change, at least 5 times. It still says I am logged in the old way when I get on. I cleared the cookies. I don't know what the issue is but it is very annoying having to log in every time and still getting bad gateway messages every other thing I click on.

July 29, 2022, 7:55 am by

I used a strong password and it worked Thankyou so much XXXX

July 28, 2022, 5:39 pm by

Today all day the same banner here keeps popping up saying Your logged in to Subeta using the old method not sure how many times I need to do this cuz it seems to not help it still pops up

July 28, 2022, 7:29 am by

Like some others on here, I've logged in with the new authorization several times on my phone and my computer. And every so often it tells me I'm logged in the old way and please do the new authorization.... Do I really need to keep doing it every time that notice shows up?

July 28, 2022, 5:50 am by

I can’t get rid of the banner.

July 28, 2022, 2:57 am by

I finally managed to figure it out, thank goodness. At least I didn’t lose a long bathhouse streak :)

July 28, 2022, 1:02 am by

still cant log in will keep trying oh dear..

July 28, 2022, 1:01 am by

still cant log in will keep trying oh dear..

July 27, 2022, 11:50 pm by

I log in via the new method, but it takes me to the site and I'm still logged out and have to sign in again, and I noticed since I use mobile if i leave the page for more than 15 minutes it logs me out :(

July 27, 2022, 8:17 pm by

I hit both logins every time I come on here. First is the old way and then it automatically takes me o the new way.

July 27, 2022, 7:18 pm by

Same as

July 27, 2022, 6:51 pm by

i'm getting a notice at the top of the page saying i'm logged in under the old system and need to sign in through the new system. i already did, a week ago. do i have to do it again?😔

July 27, 2022, 4:34 pm by

This keeps happening to me also. I've logged on the "new" way at least 3 different times on desktop and mobile.

July 27, 2022, 3:46 pm by

Can you log back out and log back into the new version, making sure to choose the legacy site? Or is this still ongoing as a problem for you?

July 27, 2022, 2:08 pm by

I logged in using the new auth method when it was first announced - now it's asking me to do it again because I'm not on the new method.

July 27, 2022, 12:53 pm by

Past this point please put it in Problems and Bugs, although here's hoping it's been ironed out. There is also likely going to be a news post announcing when we're no longer supporting the old auth system.

Y'all have been champs dealing with the new process as Keith makes changes, and we appreciate it,!

July 27, 2022, 12:30 pm by

At this time it looks to be fixed.

If it happens again should i just contact you on here?

July 27, 2022, 4:52 am by

Im still trying to log in by new method ..changed email address, password and browser .I have made a ticket also but still left behind its making me very worried how much longer before I cant log into subeta at all ,

July 27, 2022, 3:04 am by

Sorry for spamming, but none of my comments ever showed up so I kept trying…

July 27, 2022, 3:03 am by