Legitimate Password Requests

Legitimate Password Requests

There are only a tiny number of web pages on which it’s ever OK to type a CSAIL account password (Kerberos password or email password). This page intends to exhaustively list those web pages. If you are considering typing your CSAIL password into a web site and you’re not sure it’s safe or not, come to this page. Then make sure you’re coming to this page over SSL (using the URL https://tig.csail.mit.edu/email-communicating/legitimatepasswordrequests/ — note the “s” in “https://”), with a little padlock icon next to the URL. Then, instead of following the URL from an email message or something like that, click the URL on this page (or retype it). That will help defend you against camouflaged URLs which may look like they’re going to one of these CSAIL URLs but really go someplace else.

If anybody (including a web page that appears to be a TIG web page, or email from somebody who appears to be a TIG sysadmin) ever tells you to enter a CSAIL password on any web page that is not listed here, please

1. don’t do it, and 2. if it’s not just a run-of-the-mill email phishing attempt (or if it is one, but you think anybody else at CSAIL might be fooled by it, or it has a surprising amount of CSAIL-specific information in it), let us know, by sending mail to help@csail.mit.edu with as much detail as possible.

If you have any questions about the this web page (e.g., whether you should trust it, or how to determine whether it’s the real web page or a copy somebody has made and edited), you can come see a TIG sysadmin in 32-276 or elsewhere in TIG.

The list of legitimate web pages that might ask for a CSAIL password

Kerberos passwords

• https://signup.csail.mit.edu/signup – This is the web page to sign up for a new CSAIL account, and as one step of the signup procedure, it asks you for a new Kerberos password. You’ll only ever need to do this once (and if you’re reading this, you probably already have done so and have a CSAIL account).
• https://oidc.csail.mit.edu/login (and https://oidc.csail.mit.edu/login?logout) – This is the new single-signon login page for CSAIL web applications and other CSAIL web access control, serving a similar function to CSAIL web client certificates (which we used until July 2018). It’s run by TIG, and it will be available for use by various web applications (e.g., you might go to some other website that needs you to log in, and it would send you to http://oidc.csail.mit.edu/login to do so, but you wouldn’t actually type your password on the other web page, just at https://oidc.csail.mit.edu/login.)

Email passwords

Not everybody has an email password. If, like many CSAIL members, you forward your mail elsewhere, you don’t need an email password, and you won’t ever need to use any of the pages listed below. But if you receive mail on our IMAP server or send it through our outgoing mail server, you’ll have chosen an “IMAP” password (also used for sending email) as well, and here are the web pages where you can legitimately enter that password:

• https://webmail.csail.mit.edu/horde/login.php – This is the login page for CSAIL’s webmail interface, for people who can’t conveniently use a normal email client on their laptops (or phones) when traveling for some reason. (It also provides access to some other services like email filter configuration and calendar services.) If you haven’t logged in yet, the URL https://webmail.csail.mit.edu/horde/ will redirect you to that page so you can log in, but https://webmail.csail.mit.edu/horde/login.php is the only page on the webmail server on which you should ever type your email password.
• https://imap.csail.mit.edu/cgi-bin/create/change is the web form into which you can type a new email password to change it. You have to already have logged into our single-signon login page (mentioned above) with your Kerberos password in order to get to this page.