There are only a tiny number of web pages on which it's ever OK to type a CSAIL account password (Kerberos password or email password). This page intends to exhaustively list those web pages. If you are considering typing your CSAIL password into a web site and you're not sure it's safe or not, come to this page. Then make sure you're coming to this page over SSL (using the URL https://tig.csail.mit.edu/wiki/TIG/LegitimatePasswordRequests — note the "s" in "https://"), with a little padlock icon next to the URL. Then, instead of following the URL from an email message or something like that, click the URL on this page (or retype it). That will help defend you against camouflaged URLs which may look like they're going to one of these CSAIL URLs but really go someplace else.

If anybody (including a web page that appears to be a TIG web page, or email from somebody who appears to be a TIG sysadmin) ever tells you to enter a CSAIL password on any web page that is not listed here, please

  1. don't do it, and
  2. if it's not just a run-of-the-mill email phishing attempt (or if it is one, but you think anybody else at CSAIL might be fooled by it, or it has a surprising amount of CSAIL-specific information in it), let us know, by sending mail to help@csail.mit.edu with as much detail as possible.

If you have any questions about the this web page (e.g., whether you should trust it, or how to determine whether it's the real web page or a copy somebody has made and edited), you can come see a TIG sysadmin in 32-276 or elsewhere in TIG.

The list of legitimate web pages that might ask for a CSAIL password

Kerberos passwords

Email and Jabber passwords

Not everybody has an email password. If, like many CSAIL members, you forward your mail elsewhere, you don't need an email password, and you won't ever need to use any of the pages listed below. But if you receive mail on our IMAP server, send it through our outgoing mail server, or use our Jabber conferencing system, you'll have chosen an "IMAP" password (really, also used for sending email and for Jabber conferencing) as well, and here are the web pages where you can legitimately enter that password:

  • https://imap.csail.mit.edu:1443/cgi-bin/create/request-imap
    This is the form where you initially request an IMAP email account and specify your password. (It knows who you are because you already need a browser certificate, which you got at one of the ca.csail.mit.edu pages listed above.)
  • https://imap.csail.mit.edu:1443/cgi-bin/create/change
    This page allows you to change your IMAP password. (As for the email-account creation page, it knows who you are because of your browser certificate.)
  • https://webmail.csail.mit.edu/horde/login.php
    This is the login page for CSAIL's webmail interface, for people who can't conveniently use a normal email client on their laptops (or phones) when travelling for some reason. (It also provides access to some other services like email filter configuration and calendar services.) If you haven't logged in yet, the URL https://webmail.csail.mit.edu/horde/ will redirect you to that page so you can log in, but https://webmail.csail.mit.edu/horde/login.php is the only page on the webmail server on which you should ever type your email password.
  • https://jabber.csail.mit.edu/jwchat/
    This is a web-based interface to our Jabber/XMPP messaging server. (It's sort of like webmail for CSAIL's instant-messaging server.) Very few people outside of TIG use our Jabber server, and even fewer would ever need to use this web-based interface to it, but it's mentioned here for completeness.

-- JaySekora - 21 Apr 2017
Topic revision: 21 Apr 2017, JaySekora
 

MIT Computer Science and Artificial Intelligence Laboratory

 

  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology