cat > layouts/partials/flex/body-beforecontent.html << 'EOF'
Navigation :

Accounts and Authentication

Your CSAIL Kerberos account is your digital identity at CSAIL. It grants you access to CSAIL systems, storage, email, and computing resources.

Getting an Account

You can obtain a CSAIL Kerberos account and optionally a CSAIL email account by filling out the application form below.

If you are also getting a new MIT.EDU (main campus) account at the same time, wait approximately one hour after that account is set up before requesting your CSAIL account. This ensures email will be delivered properly.

Your CSAIL account will be active about one hour after your supervisor approves the request.

Request an account here

What You Get With Your Account

Once approved, you gain access to:

CSAIL Kerberos and CSAIL IMAP Accounts

Your CSAIL Kerberos account and your CSAIL IMAP email account are separate systems with separate passwords. Your Kerberos account grants you access to CSAIL systems, storage, and computing resources. Your IMAP account is optional and provides email delivery and storage. You may have a Kerberos account without an IMAP account (for example, if you forward your @csail.mit.edu email elsewhere). TIG recommends using unique, different passwords for each account. For complete details, see Email and Communicating.

Security: Protect Your Kerberos Password

Your Kerberos principal is your digital identity at CSAIL. Think of it like a passport. If someone gains access to it, they can impersonate you and access CSAIL’s network bandwidth and computing power. You are responsible for protecting it.

Common mistakes:

Use a unique, strong password for your CSAIL account that is completely different from passwords on public websites.

Changing Your Kerberos Password

If you know your current password:

If you’ve forgotten your password:

Password Requirements

In accordance with NIST SP800-63B version 4, we require:

Existing accounts created before this policy was adopted in 2024 may have weaker passwords, but in the absence of compromise we do not force them to be changed. (Passwords older than July, 2019, were expired after a compromise.)

Not every user interface for changing passwords is currently able to check the database of compromised passwords.

Account Lifecycle and Expiration

Student accounts

Your supervisor must approve renewal of your account at the end of each MIT fiscal year. If your account is not renewed, you lose access to CSAIL systems on July 1 of that year. Mail forwarding and web services (~/public_html/) continue indefinitely.

Supervisors receive renewal notifications a few weeks before the deadline via WebINQUIR.

All accounts

When your affiliation with CSAIL ends, the following happens:

For detailed preparation before departure, see our departure checklist.

CSAIL accounts for certain classes of users—students, visitors, affiliates, guests, alumni, and certain temporary employees—automatically expire at the end of every fiscal year (specifically, at midnight UTC on July 1, which is 8 PM on June 30 local time here in Cambridge).

Users who have changed PIs should notify help@csail.mit.edu of the name of the new PI and the name of the new research group so that their account can be updated. Notifications to PIs and supervisors are sent out annually at the beginning of June (usually the first business day). Users whose accounts are not renewed receive a notification email on or around July 1. Users’ accounts must be renewed or reactivated by their PI, supervisor, or CSAIL Human Resources. TIG CANNOT RENEW USER ACCOUNTS. Users may send individual reminders to their PI or supervisor to renew or reactivate their account, which can be done at inquir.csail.mit.edu/users/INSERT CAPITALIZED USERNAME (Some users have unusual expiration dates set by their supervisors and will not receive any notifications.)