π Security / Authentication Update
So instead of adding more tape to the system, we're introducing a centralized authentication site that'll handle logging you in across Subeta. Clicking on any login or logout button from this site or new Subeta should redirect you to https://auth.subeta.net, where you can log in.
I want to talk through a few of the benefits directly, and we'll be discussing this more in the coming days. As part of this change, we will be removing PIN protection but will be offering 2FA (getting a code sent to your email or phone) as soon as possible.
Benefits
#1 Central source of truth
[auth.subeta.net](notion://auth.subeta.net/) has one mission: account management. That's it! We're going to move registration there as soon as possible, with an avatar builder and pet creation, but its only job is account management.
You've probably noticed when clicking on a link to login with Google that you're taken to a non-google domain (sometimes youtube) where you log in, and it redirects you. That is the centralized account management service, doing the important work behind the scenes and then sending you to the website you're trying to use and saying "This user is all good, I've verified them!".
#2 2022 Encryption Method
The method used to encrypt Subeta passwords in our database is from PHP 5.7. We're now using PHP 8.1 on all of our servers. We have to include a special package in our PHP installation to have access to the 5.7 hashing methods.
We encrypt your cookie and decrypt it on the server, and the key is what tells the site that you're valid and not using some fake credentials.
This new management system uses modern hashing which are impossible (as much as anything is impossible) to crack. And they give us the benefit of...
#3 User-based Keys
Each cookie (what we set in your browser to say who you are) is salted with a special key that is unique to your account. We're going to be able to provide a button that allows you to reset that special key, which will log you out on all devices. It's also hashed with your account password, meaning if you change your password everyone will be logged out of your account immediately.
Finally, it's hashed with a top secret Subeta key, that we will rotate on a secret basis.
Password Update
As part of all of these changes, the encrypted password for your account on Subeta is woefully out of date. We've been able to implement this system in a way that it takes priority over the former system, which means we don't need to rotate every password on Subeta immediately. You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated.
Login Update
You'll get a very annoying notice at the top of the page letting you know that you're logged in through the old method (with an old cookie), and that we'd appreciate it if you went over to auth.subeta.net and log in. It'll still read that old cookie, but we aren't going to be supporting this old system for long. This is different than needing to update your password, this is the temporary cookie that stores your account information in your browser. Very easy to fix by just logging in on auth.subeta.net. Remember to put in the email address for your account, not your username! You can check which email address you have set for Subeta at https://subeta.net/preferences.php?act=profile.
Thank you π
Thank you for your patience while the authentication system crumbles and you're constantly being asked to log in to an account you're logged in to. I'm hopeful that this is the last major change we need to make to accounts (π€), since we've made the hard choice to build it up from the ground instead of adding more duct-tape.
Posted by Keith
Load this on Kumos site
- Prev
- 1
- 2
- 3
- 4
- 5
- 6
- Next
I was able to log in, FINALLY! I found out what was wrong, in case it helps someone else out there:
I clicked 'forgot my password', had to wait a bit but the mail was sent (to spam), then I reset my password (it wasn't possible before because it said the password was weak, that's how I found out, and when the password said "strong", then I was able to click 'reset').
After I reset the password, it worked, I could log in just fine.
Just in case it helps someone that was having the same issue with invalid username/e-mail/password like me.
I clicked 'forgot my password', had to wait a bit but the mail was sent (to spam), then I reset my password (it wasn't possible before because it said the password was weak, that's how I found out, and when the password said "strong", then I was able to click 'reset').
After I reset the password, it worked, I could log in just fine.
Just in case it helps someone that was having the same issue with invalid username/e-mail/password like me.
logging in with username doesn't work, either - "invalid" message
...getting 504's here on the comments repeatedly
...getting 504's here on the comments repeatedly
Everyday i keep getting the "You're logged in to Subeta using the old method, and we'd appreciate you switching to the new method. Check out the news post here for more details." Do I have to sign into the Auth version everyday?
Thank you for fixing it so quickly. I was able to use my username to log in and find out that the email I used to sign up was one I hadn't used in years.
When I put my email and password to try log into the new system it says that my username cannot be found
I also get a blank page when I want to log in, my workaround is to press the ESC key before it turns white lmao. :sob:
@teacup132
The plan right now is to make it the default log-in page on Monday (with a username option, not just email address), and either a link to this newspost on it or a separate page with the information. I'm also trying to make sure we have the reminder/address to email support for assistance as well.
The plan right now is to make it the default log-in page on Monday (with a username option, not just email address), and either a link to this newspost on it or a separate page with the information. I'm also trying to make sure we have the reminder/address to email support for assistance as well.
It says I'm still on the old system when I did change to the new one on my laptop. Ah well lol
I just wanna say I think the timing of subeta doing this update that will require updating our passwords while neopets has an active security breach is really funny to me
I'm having the issue where I log in via the new way on mobile, navigate to something else and come back and I get the banner again saying I need to log into the new way. Can we please get a button on the sidebar so I don't have to scroll to the bottom of the news post to relogin?
Everything worked just fine for me when I switched over the other day~ Big thanks to staff for keeping this place going & helping to keep the users safe & secure. β₯οΈ
Anyway, here's a list of what seems to be commonly asked questions, in one spot, with big, bolded bits, for yourskipping-er viewing pleasure. ;)
Other assorted questions.
"You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated."
2FA is only you want to use it and it is not available yet. (but you really should consider using 2FA for any account you care about that offers it.)
For example, the "Last Seen" section of user profiles does not update for users logged in the new way. (I'm sure it will be fixed in the future.)
Anyway, here's a list of what seems to be commonly asked questions, in one spot, with big, bolded bits, for your
How do I check / change which email I used?
Email Check And Change Info
How can I login the old way? (to check / change email, etc)
Old Login
I cannot remember my password / it says my password is incorrect?
Password Problems
I can't log in either way!
Please Remain Calm
Do I need to change my password now?
No."You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated."
Do I have to use Two-Factor Authentication?
No.2FA is only you want to use it and it is not available yet. (but you really should consider using 2FA for any account you care about that offers it.)
Why are there so few users online?
Pretty sure users logged in the new way are not included in the online count.For example, the "Last Seen" section of user profiles does not update for users logged in the new way. (I'm sure it will be fixed in the future.)
Anyone that has logged in just to do the BH would've seen the former news post about how they were going to implement this change. I saw it and read that it would be for later, so I dismissed it. There's been an active forum thread about making sure your sign up email address was up to date since then, for a month now. Fortunately I still use mine as I've gotten used to using multiple emails for a variety of things.
This news post was too convoluted. Honestly, most of it could've/should've gone in a "tech post" in Site Updates. I don't know why everyone was trying to change their password at the time of this post b/c it specifically said -
To check what the original email is, go to the dropdown menu of Personal and then select -> Dashboard-->Profile. There it is.
The original link in the news post works with your old email and and old password so if you want to get rid of the message, sign in that way (under a separate tab if you think you'll get locked out) and you should be fine. In the meantime, if your email is outdated then you should probably update it AFTER you use the new authentication https://auth.subeta.net With them switching the mail servers, I think that was part of the issue (that was many, many comments ago.)
To those that said it should've been a sticky, sidebar or whatever - MOST DEF agree. A step by step process, in most cases, that leaves out the how's and why's and just tells you what to do.
There is no need to update your password at this time so that's the first thing to pay attention to. The second is to login as normal, even w/ your outdated email (since you won't get an email asking you to verify it's you at this time), through the https://auth.subeta.net . Once logged in normally with your new cookie, you shouldn't have a problem changing your email address via the above route in Dashboard/Profile.
This news post was too convoluted. Honestly, most of it could've/should've gone in a "tech post" in Site Updates. I don't know why everyone was trying to change their password at the time of this post b/c it specifically said -
Quote:
You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated.
To check what the original email is, go to the dropdown menu of Personal and then select -> Dashboard-->Profile. There it is.
The original link in the news post works with your old email and and old password so if you want to get rid of the message, sign in that way (under a separate tab if you think you'll get locked out) and you should be fine. In the meantime, if your email is outdated then you should probably update it AFTER you use the new authentication https://auth.subeta.net With them switching the mail servers, I think that was part of the issue (that was many, many comments ago.)
To those that said it should've been a sticky, sidebar or whatever - MOST DEF agree. A step by step process, in most cases, that leaves out the how's and why's and just tells you what to do.
There is no need to update your password at this time so that's the first thing to pay attention to. The second is to login as normal, even w/ your outdated email (since you won't get an email asking you to verify it's you at this time), through the https://auth.subeta.net . Once logged in normally with your new cookie, you shouldn't have a problem changing your email address via the above route in Dashboard/Profile.
I can not log in the new way when I use my username and password it says email not correct I made this account forever ago I am not sure of the email I used ><
@Nikole
I appreciate that they did, but I wasn't on Subeta at the time when they posted it. News posts get buried pretty quickly. If they could pin it up in some way (eg banners, on the sidebar in the front page such as below the staff forum post), that would make it less likely for users to miss such announcements.
I appreciate that they did, but I wasn't on Subeta at the time when they posted it. News posts get buried pretty quickly. If they could pin it up in some way (eg banners, on the sidebar in the front page such as below the staff forum post), that would make it less likely for users to miss such announcements.
@Galaxia
Keith's link doesn't work for me when I'm not logged in (which is the problem). As for the news post, that seems pretty dependent on people being around at the right time to see the post (which I did not get the chance to see). If possible, it would have been better to see it pinned as a banner or on the side bar of the front page.
Keith's link doesn't work for me when I'm not logged in (which is the problem). As for the news post, that seems pretty dependent on people being around at the right time to see the post (which I did not get the chance to see). If possible, it would have been better to see it pinned as a banner or on the side bar of the front page.
In the banner that asks people to log in using new method, please put a link to directly log in... instead we are redirected here, have to search through a bunch of text to find the link. I had already read the text... I don't want to have to search every single time to find the link.
Also, please keep in mind that many people use autofill for passwords so it's easier to forget when we don't constantly use it. I actually had to go retrieve it in my browser settings, use another password to let me see the passwords for sites, etc. It was complicated to say the least. I understand it's a necessity to change but for those that have emails, it might be good to have an auto email to remind the people what their password is or an option to send an email with a temporary password to allow people to reset passwords.
Also, please keep in mind that many people use autofill for passwords so it's easier to forget when we don't constantly use it. I actually had to go retrieve it in my browser settings, use another password to let me see the passwords for sites, etc. It was complicated to say the least. I understand it's a necessity to change but for those that have emails, it might be good to have an auto email to remind the people what their password is or an option to send an email with a temporary password to allow people to reset passwords.
I'm having trouble with the wardrobe! I'm getting the spinning wheel of death and had to log in to it separately from Subeta. When I do click on it from the drop down tab on the site it says I must be logged in to view the wardrobe.
i had a hard time trying to log into my account because my account didnt have a email set to it, luckily i found the old site link. please introduce a user log in link until the email link works correctly :)
Judging by the drop in the number of users online — I assume some of them can't log in anymore — what I would suggest is to put a disclaimer about the password reset on that new method login page, and a temporary link to the old method login page so people can log in as before and check their email address in the Prefs page... Or something like that, I'm no UI/UX designer lol!
At this moment, the password reset suggestion (which fixed it for me) is buried in the comments and the link to the news post on that auth.subeta.net main page seems incorrect.
At this moment, the password reset suggestion (which fixed it for me) is buried in the comments and the link to the news post on that auth.subeta.net main page seems incorrect.
if you log in with your email through that link, are you fine then until the site tells us we have to update our passwords?
if you log in with your email through that link, are you fine then until the site tells us we have to update our passwords?
Trying to change my email before I do the new log in.
I type my new email address into the profile section but it keeps showing up with the old one that has not been used in 10 years.
Am I doing something wrong?
I type my new email address into the profile section but it keeps showing up with the old one that has not been used in 10 years.
Am I doing something wrong?
Well OBVIO I was the Dumbe one then thinking we'd get at least a 24h notice/reminder of a post buried in the news from one month ago.
Made sure I was logged in the new way as soon as this went up. And now I'm getting the same pop up that I'm logged in the old way?
Got everything to work fine for me on the first try!
I work in chat/email based site support and opening the comments to this newspost sent me straight into nightmareland. Hope all goes smoothly! :skull:
I work in chat/email based site support and opening the comments to this newspost sent me straight into nightmareland. Hope all goes smoothly! :skull:
@BoaConstrictor I saw the amount of users today and was shook ; 3 ; hope everyone was able to log back in
@capper09
You'll be able to decide on the 2-factor authentication, you don't have to do it just yet. You also don't have to change your password just yet.
@jersey
Understandable, please just get to it when you can! We will be working on issues as well over time and will let people know before we stop supporting the old authorization system.
You'll be able to decide on the 2-factor authentication, you don't have to do it just yet. You also don't have to change your password just yet.
@jersey
Understandable, please just get to it when you can! We will be working on issues as well over time and will let people know before we stop supporting the old authorization system.
After reading all this not yet comfortable making the change with the issues.
Have a couple things going on that I'm involved in and would hate to get locked out and not be able to finish them.
Have a couple things going on that I'm involved in and would hate to get locked out and not be able to finish them.
@Sketchpad
2-factor authorization is going to be voluntarily, you won't have to bother with a phone app or anything unless you want to.
@capper09
It should be back up, Keith was fixing something quickly! He wants to make sure this works, not just dump the code once.
@[ashen.glaze]
I did make a news post last month, and Keith's second comment on this post down at the bottom was showing someone where they could check the email for the account.
@Coyote
You will have to set your password again in the future, but if you change it from your old one to something new you can reconfirm the new one when we do the reset!
@PaintedPawz
Try requesting an email for a password reset? If that doesn't work, please file a ticket!
2-factor authorization is going to be voluntarily, you won't have to bother with a phone app or anything unless you want to.
@capper09
It should be back up, Keith was fixing something quickly! He wants to make sure this works, not just dump the code once.
@[ashen.glaze]
I did make a news post last month, and Keith's second comment on this post down at the bottom was showing someone where they could check the email for the account.
@Coyote
You will have to set your password again in the future, but if you change it from your old one to something new you can reconfirm the new one when we do the reset!
@PaintedPawz
Try requesting an email for a password reset? If that doesn't work, please file a ticket!
If we change our password now on the new log in screen will we have to change it again when it switches over?
If anyone is having trouble, change your old password and double check to see if your email is still working. I did both, as someone mentioned earlier in the thread and it worked.
after using right site the login i got this :
Server Error... Application Error ... This application failed to respond
good that this site is loyal to their faults... sigh
Server Error... Application Error ... This application failed to respond
good that this site is loyal to their faults... sigh