π Security / Authentication Update
So instead of adding more tape to the system, we're introducing a centralized authentication site that'll handle logging you in across Subeta. Clicking on any login or logout button from this site or new Subeta should redirect you to https://auth.subeta.net, where you can log in.
I want to talk through a few of the benefits directly, and we'll be discussing this more in the coming days. As part of this change, we will be removing PIN protection but will be offering 2FA (getting a code sent to your email or phone) as soon as possible.
Benefits
#1 Central source of truth
[auth.subeta.net](notion://auth.subeta.net/) has one mission: account management. That's it! We're going to move registration there as soon as possible, with an avatar builder and pet creation, but its only job is account management.
You've probably noticed when clicking on a link to login with Google that you're taken to a non-google domain (sometimes youtube) where you log in, and it redirects you. That is the centralized account management service, doing the important work behind the scenes and then sending you to the website you're trying to use and saying "This user is all good, I've verified them!".
#2 2022 Encryption Method
The method used to encrypt Subeta passwords in our database is from PHP 5.7. We're now using PHP 8.1 on all of our servers. We have to include a special package in our PHP installation to have access to the 5.7 hashing methods.
We encrypt your cookie and decrypt it on the server, and the key is what tells the site that you're valid and not using some fake credentials.
This new management system uses modern hashing which are impossible (as much as anything is impossible) to crack. And they give us the benefit of...
#3 User-based Keys
Each cookie (what we set in your browser to say who you are) is salted with a special key that is unique to your account. We're going to be able to provide a button that allows you to reset that special key, which will log you out on all devices. It's also hashed with your account password, meaning if you change your password everyone will be logged out of your account immediately.
Finally, it's hashed with a top secret Subeta key, that we will rotate on a secret basis.
Password Update
As part of all of these changes, the encrypted password for your account on Subeta is woefully out of date. We've been able to implement this system in a way that it takes priority over the former system, which means we don't need to rotate every password on Subeta immediately. You can still log in with your current password, and we will alert you through the news before we require passwords to be rotated.
Login Update
You'll get a very annoying notice at the top of the page letting you know that you're logged in through the old method (with an old cookie), and that we'd appreciate it if you went over to auth.subeta.net and log in. It'll still read that old cookie, but we aren't going to be supporting this old system for long. This is different than needing to update your password, this is the temporary cookie that stores your account information in your browser. Very easy to fix by just logging in on auth.subeta.net. Remember to put in the email address for your account, not your username! You can check which email address you have set for Subeta at https://subeta.net/preferences.php?act=profile.
Thank you π
Thank you for your patience while the authentication system crumbles and you're constantly being asked to log in to an account you're logged in to. I'm hopeful that this is the last major change we need to make to accounts (π€), since we've made the hard choice to build it up from the ground instead of adding more duct-tape.
Posted by Keith
Load this on Kumos site
- Prev
- 1
- 2
- 3
- 4
- 5
- 6
Yeah, same as a lot of other people, it's saying my password or email is invalid, and won't send a reset email, and the email is definitely correct.
not working for me. keeps saying invalid email and will not send the reset email ... it's the same email i have used for years and gotten emails from subeta before.
Ditto with everyone else - I checked my email address and password to confirm that they're correct. I did actually just reset my password, got booted off the site, and was unable to login through the new system - but able to log in with the old one.
I have to say I´m not a fan of anything centralized, these days, really.
Is that an external site?
Is that an external site?
I just changed my old password to a new one, and it still says incorrect. I'm sure I used the correct email and password. Now I'm stuck on mobile π
Changed my email address a while back, went to login on new thing and says password is wrong. Went to reset password and haven't gotten an email to reset it. :(
The "Reset Password" button is greyed out for me, although my new password meets the requirements. π€
I hope I won't be logged out anytime soon, otherwise I'm in big trouble!
I hope I won't be logged out anytime soon, otherwise I'm in big trouble!
Not working for me, it's saying the email or password is wrong, but I did just log in using the same password. Is there any way to check if there is soome other email associated with the account? Never needed anything but a username before.
Glad i'm not the only one having issues >_>; Not accepting my login, and not sending me a reset pw. π€·
It's saying my password is wrong... it also will not email me a reset link and i'm using the same email that's in my preferences.
I tried to do it and it said my password was invalid.
I changed my password, it tells me the email is invalid.
What do I do?
I changed my password, it tells me the email is invalid.
What do I do?
I followed the link to auth.subeta.net. and tried to log in but was told "Invalid email or password"
It says to me, "Invalid e-mail or password", I even changed my PW today to make sure it was correct, and the e-mail I'm using is the same on my profile, I don't get what's wrong. ):
Quick question though, if we changed our password now will we still have to change it again soon like was mentioned in the news post?
wanted to use my old pass to log in too, had no choice but to reset it using the new site as it didn't take my old one. hopefully the new site solves the problem for some people not being able to do stuff cause they're constantly getting logged out!
I also was having trouble logging in at first, but resetting my password worked (I was also using kind of an old and weak password that didn't meet the conditions of the new system).
I'm not seeing the banner at the top anymore either.
I'm not seeing the banner at the top anymore either.
I'm having the same problem, too. I am very certain I'm using the right password and e-mail.
I might need to reset my password too but that's not a hassle I'm doing on my phone. That can wait a few hours.
I'm also getting the message that i'm using the old cookie still even after clearing all cookies and logging in fresh using the new auth.subeta.net website
Resetting password worked. I think it was because I didn't have a special character in my old password, so wouldn't be accepted under the new security requirements for a strong password?
KeithTest
STAFF
@SeleneOryx I'll take a look, but in the meantime you can do a password reset on https://auth.subeta.net!
It's saying my password is incorrect, even though I'm using the saved password on my browser .... Tried every email I own, and even changed it under dashboard -> profile -> email.
KeithTest
STAFF
@Wizardpinky You can see your email here:https://subeta.net/preferences.php?act=profile
I click on the link and it says enter email. What happens if you forgot the email you used? Is there a way we can look it up? If not, would there be an option for username??