π Security / Authentication Update
So instead of adding more tape to the system, we're introducing a centralized authentication site that'll handle logging you in across Subeta. Clicking on any login or logout button from this site or new Subeta should redirect you to https://auth.subeta.net, where you can log in.
I want to talk through a few of the benefits directly, and we'll be discussing this more in the coming days. As part of this change, we will be removing PIN protection but will be offering 2FA (getting a code sent to your email or phone) as soon as possible.
Benefits
#1 Central source of truth
[auth.subeta.net](notion://auth.subeta.net/) has one mission: account management. That's it! We're going to move registration there as soon as possible, with an avatar builder and pet creation, but its only job is account management.
You've probably noticed when clicking on a link to login with Google that you're taken to a non-google domain (sometimes youtube) where you log in, and it redirects you. That is the centralized account management service, doing the important work behind the scenes and then sending you to the website you're trying to use and saying "This user is all good, I've verified them!".
#2 2022 Encryption Method
The method used to encrypt Subeta passwords in our database is from PHP 5.7. We're now using PHP 8.1 on all of our servers. We have to include a special package in our PHP installation to have access to the 5.7 hashing methods.
We encrypt your cookie and decrypt it on the server, and the key is what tells the site that you're valid and not using some fake credentials.
This new management system uses modern hashing which are impossible (as much as anything is impossible) to crack. And they give us the benefit of...
#3 User-based Keys
Each cookie (what we set in your browser to say who you are) is salted with a special key that is unique to your account. We're going to be able to provide a button that allows you to reset that special key, which will log you out on all devices. It's also hashed with your account password, meaning if you change your password everyone will be logged out of your account immediately.
Finally, it's hashed with a top secret Subeta key, that we will rotate on a secret basis.
Password Update
As part of all of these changes, the encrypted password for your account on Subeta is woefully out of date. We've been able to implement this system in a way that it takes priority over the former system, which means we don't need to rotate every password on Subeta immediately. You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated.
Login Update
You'll get a very annoying notice at the top of the page letting you know that you're logged in through the old method (with an old cookie), and that we'd appreciate it if you went over to auth.subeta.net and log in. It'll still read that old cookie, but we aren't going to be supporting this old system for long. This is different than needing to update your password, this is the temporary cookie that stores your account information in your browser. Very easy to fix by just logging in on auth.subeta.net. Remember to put in the email address for your account, not your username! You can check which email address you have set for Subeta at https://subeta.net/preferences.php?act=profile.
Thank you π
Thank you for your patience while the authentication system crumbles and you're constantly being asked to log in to an account you're logged in to. I'm hopeful that this is the last major change we need to make to accounts (π€), since we've made the hard choice to build it up from the ground instead of adding more duct-tape.
Posted by Keith
Load this on Kumos site
- Prev
- 1
- 2
- 3
- 4
- 5
- 6
- Next
Can anyone help me here? I know my email address is correct, but it keeps telling me wrong email or password and I've been using it for the past year with no problems :/
Really would have liked some sort of headsup before implementation so that I could actually check which email I'd used to sign up.......... over 10 years ago. That is an email I have not touched in years, have completely forgotten about in context re Subeta. And since I don't show my email in my profile, that's no help either. As it is, I'm lucky I was able to guess right, because otherwise I wouldn't have been able to log in at all.
@ staff/Keith, next time you implement a security measure like this, please give us advance warning so we can prepare. Not everyone stays signed in, and not everyone remembers what email they signed up with.
@ staff/Keith, next time you implement a security measure like this, please give us advance warning so we can prepare. Not everyone stays signed in, and not everyone remembers what email they signed up with.
please tell me we aren't going to have to download and fight with one of those authenticator phone apps that generate one of those stupid codes you have to put in
finally worked for me!!! had to go into my profile and change my email address (forgot about the fact that everything i use now is connected to Google lol!!) and once I did it in the old system on my phone it worked!!!
@NekoHime
There's no midnight deadline or anything.
@Nebet @Maybird
You don't have to change it now, although if it's an older, re-used, or weaker password now might be a good time. We'll put out another notice when we are completely resetting passwords.
@Rosecel @BoaConstrictor @lissesul @slippy @yellowdream
If you're still having trouble when you try again, please file a ticket!
@yellowdream
You're not going to lose your account! This is about keeping your data safe and making log-in and authorization a more cohesive process.
@ColdDragon
Thank you for the details! I'm seeing a few other people mention issues as well across devices, and Keith is going to take another look today.
There's no midnight deadline or anything.
@Nebet @Maybird
You don't have to change it now, although if it's an older, re-used, or weaker password now might be a good time. We'll put out another notice when we are completely resetting passwords.
@Rosecel @BoaConstrictor @lissesul @slippy @yellowdream
If you're still having trouble when you try again, please file a ticket!
@yellowdream
You're not going to lose your account! This is about keeping your data safe and making log-in and authorization a more cohesive process.
@ColdDragon
Thank you for the details! I'm seeing a few other people mention issues as well across devices, and Keith is going to take another look today.
"Invalid email or password" Email is the one on my profile and my password is correct.
I tried on Safari, Firefox and Chrome.
I tried on Safari, Firefox and Chrome.
Given the massive data breach over on Neopets, this is not only welcome news, but a refreshing difference in how pet sites are managed. Thank you for being direct, up front, and letting everyone know EXACTLY what is going on, what will be changing, and why. This is the sort of staff response that all game/pet sites should have!
Update:
I tried it on Chrome as well. I also added https://auth.subeta.net to my whitelist as well. Still get Invalid email or password
I tried it on Chrome as well. I also added https://auth.subeta.net to my whitelist as well. Still get Invalid email or password
Invalid email or password*
I have triple checked my email address. Its still my same valid one & I have never changed my e-mail for Subeta.
I can log on with my username & old password.
I can't get logged on with the https://auth.subeta.net link at all.
I even reset my password and still no go.
I am using my old login & password, until this is resolved Ill keep on with the old way of logging in and playing.
I am using Firefox on my PC.
I have triple checked my email address. Its still my same valid one & I have never changed my e-mail for Subeta.
I can log on with my username & old password.
I can't get logged on with the https://auth.subeta.net link at all.
I even reset my password and still no go.
I am using my old login & password, until this is resolved Ill keep on with the old way of logging in and playing.
I am using Firefox on my PC.
Woo! It works. I was someone who initially didn't get the email to reset password, so if anyone was having that issue, it's working (for me) now. Maybe give it another shot?
Thank you for the update. I signed in last night with no problem. Just hope it keeps working correctly and there aren't any more problems. Appreciate the information.
I cleared my cookies on both Chromebook and phone browser. Used the new login on both devices and the message at the top of the screen went away. When I came back on phone browser the new login message was back on top of the screen. I'm able to play the site so I'm not stressed but it is a worry since it's acting like I'm still on old cookie and login.
Using Chrome browser on Chromebook. Edge browser on Android phone.
Using Chrome browser on Chromebook. Edge browser on Android phone.
I am impressed - at least from my experience this is the most seamless rollout I have ever seen for account/authentication updates.
I waited until now to touch this since so many people were having problems and I was able to log in on my phone and desktop without issue (at least, none that I have detected so far). Just saying this for anyone else who may still be hesitant to try.
Thanks for working to keep us secure, Subeta!
Thanks for working to keep us secure, Subeta!
Once I found where I can find my email I used to sign up (located in Preferences) I was able to sign in with now problems so far.
Interestingly I initially got the "invalid password" error, but being the stubborn old bat that I am, I called the system a few choice names and smashed the enter/next/whatever button anyway. It let me in without any further problems. :)
Everything has worked for me so far. I relogged in on my work computer and on my home laptop, both Mac's and both using Chrome. My desktop at work said invalid the first time but worked the second time, I waited like no time in-between attempts. I don't know if this information helps at all but I figured I'd share incase it did lol
Judging by the measly number of users online, a lot of people have successfully locked themselves out of Subeta :-(
Invalid email or password
Fortunately
1) I tried on my fairly useless, tiny, slow, garden/vacation meant notebook.
2) I still had another Subeta window open, a random link of which opened up the old login page - which let me in
3) old login still possible & works
I have never in all those years changed my e-mail for Subeta.
Obviously the password I tried numerous times, is correct.
I did add https://auth.subeta.net to my very few allowed cookies.
Fortunately
1) I tried on my fairly useless, tiny, slow, garden/vacation meant notebook.
2) I still had another Subeta window open, a random link of which opened up the old login page - which let me in
3) old login still possible & works
I have never in all those years changed my e-mail for Subeta.
Obviously the password I tried numerous times, is correct.
I did add https://auth.subeta.net to my very few allowed cookies.
so weird how we get this news on the same day as neopets' data breach. yet another reason why subeta is superior π
I've logged in 2 times with new method but when I go to another page the message is still on top saying I'm using the old one
it's saying my password or email is invalid, been trying but still getting messageat the top, will I loose my account so worried ..
Managed to log in with the new system yesterday and the banner disappeared. Came on this morning to see the banner again telling me I'm logged in under the old system.
@CastlesInTheSky Notice that we needed up-to-date email addresses for this process was posted a month ago : News post
Just out of curiosity..
Ever hear about giving people fair warning? or SOME KIND OF FN' notice?
I never stay logged in & I aint got a clue what my email is that I use on this site. I had to search around for anything that looks remotely familiar. 40min later here I am. But not from the new login. I signed in using the old page using my username/passwrd. I
ll go look what my email is later.
Do my head in
Ever hear about giving people fair warning? or SOME KIND OF FN' notice?
I never stay logged in & I aint got a clue what my email is that I use on this site. I had to search around for anything that looks remotely familiar. 40min later here I am. But not from the new login. I signed in using the old page using my username/passwrd. I
ll go look what my email is later.
Do my head in
I'm not sure if I just typed my pw wrong the first time (unlikely, I'm slow and careful) but I also had the invalid email/pw error the first time. I refreshed the page and typed my pw again and it worked that time. Not sure if refreshing/trying more than once will help anyone having trouble.
Logged in to the new system, changed my password because it was due for a refresh anyways — worked like a charm across all my devices. Thanks! We love a good security/transparency update.
Looks like I missed all the fun because I was able to reset my password, and it worked perfectly.
@Galaxia
Thanks for putting the link to the profile page here! I was trying to log in with my new email address which I changed a while back but couldn't, so when I checked my profile, I realized I had my old email address there! Updated it and fixed it so I could log in using the new method.
Thanks for putting the link to the profile page here! I was trying to log in with my new email address which I changed a while back but couldn't, so when I checked my profile, I realized I had my old email address there! Updated it and fixed it so I could log in using the new method.
So far so good- I logged into Subeta via the Authenticator site on my iPad first- then updated my PW and logged on using my phone. I’ll set it up on the laptop tomorrow! ππ»
Well I kept getting logged out on chrome this time I couldnt log back in so I'm back on firefox and no troubles yet and the forums are working for me on firefox
One issue that I do have with the changing of the password system as it is currently is that it doesn't send a link or anything to your email to click on. It just allows you change the password. I also didn't receive any email stating that the password on my account was changed.
Yeah, same as a lot of other people, it's saying my password or email is invalid, and won't send a reset email, and the email is definitely correct.
thank you for working so hard with Subeta ;-; I love this website, am so happy and thankful for the people who keep it running <3
could not change my password. logged in ok, but wanted to change password and the submit button is greyed out despite having all the rules followed and passwords matching. :(
@Wizardpinky go to Dashboard then click Profile on the top tabs to find email.
@Wizardpinky go to Dashboard then click Profile on the top tabs to find email.