Single-Sign-On Browser Security Issue (Resolved)

Why am I receiving this message?

A security issue involving the Marshall University Single-Sign-On (MUSSO) web server was reported on Tuesday, October 13, 2015 to the Marshall University Information Security Office. The issue involves a potential for exposure of your MUNET credentials (username and password).

Does this affect me?

This issue would occur if you use the ‘[x] Remember Me’ check-box when logging in to the MUSSO-authenticated websites (including myMU, Lynda and Philo). Your MUNet credentials are written to a web cookie which is stored in your user profile. The exposure could occur on a computer in which another person besides yourself has administrative access. Ordinarily your user profile folder is secured so that it is only accessible to you. An administrative user has the ability to override this setting and gain access to not only this cookie but any other files stored on the system.

What do I need to do?

If you have used the ‘[x] Remember Me’ checkbox when logging in to a MUSSO-authenticated website, you should change your MUNET password. Changing your password will prevent someone from being able to use the password saved by the checkbox. You can use the MUNet Password Change Website to quickly change your password whether you are located on-campus or off. Important: Remember to update your MUNet password which is often stored on other mobile devices. For example: mobile device wireless/Wi-Fi connection, Office365 or Outlook/Exchange e-mail, wired network connections in MU Residence Halls, etc.

If you have NEVER used the ‘[x] Remember Me’ checkbox, you are not required to change your password. However, if you have never changed your MUNet password before, with October being National Cyber Security Awareness Month, this would be a good opportunity to do so. See the Protect Your Identity topic for information on securing your online accounts, creating hacker-resistant passwords, and using password management software.

What is Marshall Information Technology doing?

Marshall IT has removed the ‘[x] Remember Me’ checkbox. Also the login function has been updated to overwrite a remembered password should a previously-stored cookie be found in your user profile folder. Note: this will only occur on computers which you log into after October 14, 2015. MU IT is also notifying our user community of this issue via e-mail, via the IT Alerts WWW page and the MUSSO logon pages.

Where can I go for more information?

Changing your password is a self-service function– simply click on ‘Change Password’ link located on the myMU Login page. If you need assistance or have additional questions contact the Marshall University IT Service Desk at (304) 696-3200 or via e-mail at