Accounts and Authentication

Access to just about everything TIG has to offer is granted via your CSAIL Kerberos account.

Getting an Account

You can obtain a CSAIL Kerberos account, and optionally a CSAIL email account, by filling out the application form below.

Once you have applied for an account and your supervisor approves the request, you gain access to several new resources:

Will my CSAIL account go away when I leave?

We understand that many CSAIL alumni continue to collaborate with their colleagues at the Lab after they graduate (or retire, or resign). For students and employees who leave CSAIL on favorable terms, we expect to maintain accounts for some time into the future. Provided that your account does not represent a security issue, and that your use of the account does not harm CSAIL’s resources or reputation, we will maintain accounts and email forwarding indefinitely. However, even though we do not delete accounts, you will lose access to your account if you fail to:

  1. Keep your CSAIL email forwarding current,
  2. Respond to mail we send you at your CSAIL email address
  3. Keep an active association with your former supervisor (or another CSAIL supervisor) as sponsor of your account.

You should not expect to be able to continue to use CSAIL IMAP for your email after you leave. To update your email forwarding address, use INQUIR. Before you leave CSAIL, you can link a third-party identity (such as a GitHub or Google account) to your INQUIR record, which will allow you to update your email forwarding and directory information even after your CSAIL account expires.

CSAIL supervisors must approve the continuation of student accounts at the end of each Institute fiscal year. They may choose, at their discretion, to renew each student's account for a term or to allow it to expire. (Supervisors will receive mail a few weeks before the deadline with a list of users and a link to the appropriate WebINQUIR function.)

If your account is allowed to expire, you will lose access on July 1 following your last term. (Mail forwarding will continue indefinitely, as will Web service for files in your ~/public_html directory and Web forwarding from

Supervisors have a 45-day grace period to renew accounts; after that time, a system administrator must reactivate the account.

CSAIL account expiration

CSAIL accounts for certain classes of users—students, visitors, affiliates, guests, alumni, and certain temporary employees—automatically expire at the end of every fiscal year (specifically, at midnight UTC on July 1, which is 8 PM on June 30 local time here in Cambridge).

Users who have changed supervisors should have their new supervisor or supervisor’sassistant notify to confirm the change. Notifications to supervisors are sent out annually at the beginning of June (usually the first business day). Users whose accounts are not renewed receive a notification email on or around July 1. (Some users have unusual expiration dates set by their supervisors and will not get any notifications.)

How do I change my Kerberos Password?

If you already know your password:

If you have forgotten your CSAIL Kerberos Password:

CSAIL Kerberos Account Password Requirements

Treat your Kerberos password like your Passport

Your Kerberos principal is your digital identity at CSAIL. You establish your identity using a username and password. However, you should think of your Kerberos principal like a passport. If someone gains access to it, they can very effectively pretend to be you, causing much destruction and pain for you if they desire. A CSAIL Kerberos principal unlocks access to a very large amount of network bandwidth and computation power, enough to cripple a small country if used maliciously. You are responsible for your Kerberos principal, so treat it well.

Some common mistakes people make with their CSAIL accounts include using the same password they use for low- or no-security applications like Gmail accounts, Dropbox, Facebook, or any other web-based free services. Such passwords are often gleaned and used to access login accounts, so you should choose totally different passwords for these two distinct types of applications.