π Security / Authentication Update
So instead of adding more tape to the system, we're introducing a centralized authentication site that'll handle logging you in across Subeta. Clicking on any login or logout button from this site or new Subeta should redirect you to https://auth.subeta.net, where you can log in.
I want to talk through a few of the benefits directly, and we'll be discussing this more in the coming days. As part of this change, we will be removing PIN protection but will be offering 2FA (getting a code sent to your email or phone) as soon as possible.
Benefits
#1 Central source of truth
[auth.subeta.net](notion://auth.subeta.net/) has one mission: account management. That's it! We're going to move registration there as soon as possible, with an avatar builder and pet creation, but its only job is account management.
You've probably noticed when clicking on a link to login with Google that you're taken to a non-google domain (sometimes youtube) where you log in, and it redirects you. That is the centralized account management service, doing the important work behind the scenes and then sending you to the website you're trying to use and saying "This user is all good, I've verified them!".
#2 2022 Encryption Method
The method used to encrypt Subeta passwords in our database is from PHP 5.7. We're now using PHP 8.1 on all of our servers. We have to include a special package in our PHP installation to have access to the 5.7 hashing methods.
We encrypt your cookie and decrypt it on the server, and the key is what tells the site that you're valid and not using some fake credentials.
This new management system uses modern hashing which are impossible (as much as anything is impossible) to crack. And they give us the benefit of...
#3 User-based Keys
Each cookie (what we set in your browser to say who you are) is salted with a special key that is unique to your account. We're going to be able to provide a button that allows you to reset that special key, which will log you out on all devices. It's also hashed with your account password, meaning if you change your password everyone will be logged out of your account immediately.
Finally, it's hashed with a top secret Subeta key, that we will rotate on a secret basis.
Password Update
As part of all of these changes, the encrypted password for your account on Subeta is woefully out of date. We've been able to implement this system in a way that it takes priority over the former system, which means we don't need to rotate every password on Subeta immediately. You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated.
Login Update
You'll get a very annoying notice at the top of the page letting you know that you're logged in through the old method (with an old cookie), and that we'd appreciate it if you went over to auth.subeta.net and log in. It'll still read that old cookie, but we aren't going to be supporting this old system for long. This is different than needing to update your password, this is the temporary cookie that stores your account information in your browser. Very easy to fix by just logging in on auth.subeta.net. Remember to put in the email address for your account, not your username! You can check which email address you have set for Subeta at https://subeta.net/preferences.php?act=profile.
Thank you π
Thank you for your patience while the authentication system crumbles and you're constantly being asked to log in to an account you're logged in to. I'm hopeful that this is the last major change we need to make to accounts (π€), since we've made the hard choice to build it up from the ground instead of adding more duct-tape.
Posted by Keith
Load this on Kumos site
- Prev
- 1
- 2
- 3
- 4
- 5
- 6
- Next
As a reminder for people, unique passwords are going to be the best way to protect your account! If your current password is the same as another site, now would be an excellent time to change it to something you don't use anywhere else. Or, if you are taking the opportunity to make a new one, don't re-use it on other pet sites.
It's not working for me on Ipad or Windows computer. Both are saying invalid Email or password.
I hope 2FA remains voluntary. I already have to have my phone with me to get any paid work done, I'd like to be able to put it down to play :)
thank you for all the hard work you've all put in to address this issue. i'll keep my fingers crossed that this solution will stop all the insanity. :joy:
Thanks for all your hard work!!! I really appreciate how Subeta cares for its users safety - especially as That Other Site had yet another data breach TODAY! I hope it all works out smoothly.
So wait, should we go ahead and change our passwords? Or should we wait until you guys tell us to?
Would love to say it worked. I logged in the new way. And went back to my page five minutes and had to log in again.
You guys are fighting the good fight. Good luck wrangling everyone, explaining everything, and doing the boss battle with the code.
@Xuanmeng
Make sure you're putting in your email address, not just your username, and that it matches the one you have listed at https://subeta.net/preferences.php?act=profile.
@MarchOnOff
Select old/legacy Subeta on that screen!
Make sure you're putting in your email address, not just your username, and that it matches the one you have listed at https://subeta.net/preferences.php?act=profile.
@MarchOnOff
Select old/legacy Subeta on that screen!
I haven't been asked to log in, but I am getting robot checked very often. It hasn't happened for a couple of days, so knock on wood.
https://subeta.net/forums.php/read/926879/Anyone-else-constantly-getting-Are-you-a-robot-checked/1/#66224952
https://subeta.net/forums.php/read/926879/Anyone-else-constantly-getting-Are-you-a-robot-checked/1/#66224952
I'm on chrome and was able to log in but the forums are not wanting to load I get this at the bottom of the loading If forums are loading infinitely, please make sure you are logged in on New Subeta.
Trying to read a staff post? Check our Admin Posts page if you are unable to load the forums.
Trying to read a staff post? Check our Admin Posts page if you are unable to load the forums.
So where do I log in, to old subeta or new subeta? and if I log in one, is the other working? I so don't get it...or like it...
What do we do if auth.subeta.net doesn't recognize the email address connected with our account?
@Nikole thanks honey, but for some odd reason it wanted me to type in my email. Don't know why. Everything was spell the same and correct. Thanks again honey :heart:
@-HyperBlossom-
If you're having trouble logging in on mobile with the correct information, double tap the login and it should work.
If you're having trouble logging in on mobile with the correct information, double tap the login and it should work.
I personally think its great that Subeta is moving forward to better site protection π I just wish I understood the technical aspects of it all π€ I have Asperger syndrome and sadly its not easy for my brain to understand things that I've never learned before.
That's strange. The login works on the desktop, but if I try to login with on my phone it doesn't take my email address.
@capper09
Older passwords may not be safe anymore: Neopets just today, for instance, had a major security incident with their entire database exposed. We just want to make sure we're keeping everyone's accounts safe.
Go to https://auth.subeta.net and follow the directions to reset your password, make sure it's got a mix of capital letters and symbols and numbers to make it harder for other people to guess it! Choose 'legacy' when it gives you that option. The rest of it, the technical stuff, you don't need to worry about it. We just have the details there for people who are curious.
Older passwords may not be safe anymore: Neopets just today, for instance, had a major security incident with their entire database exposed. We just want to make sure we're keeping everyone's accounts safe.
Go to https://auth.subeta.net and follow the directions to reset your password, make sure it's got a mix of capital letters and symbols and numbers to make it harder for other people to guess it! Choose 'legacy' when it gives you that option. The rest of it, the technical stuff, you don't need to worry about it. We just have the details there for people who are curious.
@capper09 Subeta has switched to a new, more secure login system that does a better job of making sure you're you and protecting your password from hackers. In the near future you will be asked to change your password just to make sure your account is safe. You will also be able to enable two factor authentication using SMS or an app for extra security if you'd like.
(I think that covers it for nontechnical stuff?)
(I think that covers it for nontechnical stuff?)
@Petlover
If someone takes your device, they can get into your accounts with saved passwords, yes. However, one of the things this change lets us do is provide a button that allows you to log out across all devices. So if you save your password on your phone but you lose it or someone steals it, you can use another device (your computer, a friend's computer or phone that you trust) to log out even if you don't have your phone.
If someone takes your device, they can get into your accounts with saved passwords, yes. However, one of the things this change lets us do is provide a button that allows you to log out across all devices. So if you save your password on your phone but you lose it or someone steals it, you can use another device (your computer, a friend's computer or phone that you trust) to log out even if you don't have your phone.
That worked flawlessly for me, I entered my email and password and was brought to a handy page where I got to choose to redirect to either Subeta 2.0 (where the wardrobe, CW market are held) or Legacy Subeta (where everything else remains so far). I can understand some of the hesitancy but I guarantee each and every one of y’all are constantly having your data sold by every company you purchase from, even the pharmacy. And I won’t even delve into all the ways our phones betray us. So please don’t allow a fear of new things to keep you away from this site. As Subeta moves into the future, so should we users.
what.. ??? is there anyone here who can please translate this into german for a non-technical user...? ? the translator tells something about keys, baking and secret pages... ??? please via priv. message.... thank you, thank you... i didn't understand anything... i am happy when i get a plug into the socket without an accident and now so much technical...
euh how does that work i never save passwords on my pc in the case it gets stolen and the thief can go in all my accounts then
Bitwarden is a good free password manager if anyone is looking for one. It has a mobile app as well.
I'm glad that I checked that I had a current email address about a month ago when this was first mentioned in a News post. It made logging in pretty simple. :-)
i sadly problbly have to quit subeta now i'm autistic and really can't take to remember a new too hard to remember password with all the extra's
FCoDHad to change my password in order to use the new auth site, but it wasn't the strongest, so understandable. Also wish it used username instead of email address for login, but that's not that big of a deal.
@-HyperBlossom-
It's totally cool and my pleasure to help, I'd rather get double-pinged than no notice at all.
You should be all set, then!
It's totally cool and my pleasure to help, I'd rather get double-pinged than no notice at all.
You should be all set, then!
@Galaxia I did change it though the preferences.php?act=profile so that should work fine. I'm just trying to make sure I understand everything right before I change my password. Sorry I hit the wrong button that's my fault again super sorry Galaxia
This whole thing hurts my brain. It took forever for me to figure out how to log in right π