QuickBooks

QuickBooks Desktop Security Update Details

Written by Charlie Russell

Intuit has been rolling out a QuickBooks Desktop security update and the changes have created quite an uproar in both the user and accounting professional communities. Looking at these discussions I see that there is confusion and a few misconceptions about the changes, along with a lot of anger. Let’s take a closer look at what has been changed, and why.

Note: This article was updated shortly after publication for information on QuickBooks 2015, and then on 7/8/2016 to add some corrections

Charlie Russell will be presenting the session, Recent Developments in QuickBooks and Looking Ahead, at Accountex 2016.

QuickBooks Desktop Security Update Hullaballoo

In a nutshell, Intuit is updating supported versions of QuickBooks desktop (for Windows) so that most users are now required to have a complex password, depending on what information they have stored in their file. This is a change from before, where you only were required to have this kind of password if you enabled Customer Credit Card Protection, a feature needed for security when storing credit card information in your QuickBooks files.

QuickBooks users are suddenly finding that they cannot get into their QuickBooks files without first creating a new, complex password, even if they don’t have credit card information stored in the file. This creates an additional hassle for many users.

Accounting professionals are now faced with managing a large number of unique passwords across multiple client files, for every accounting user who has to access those files, which is creating a huge amount of extra work and inconvenience.

Complex QuickBooks Passwords

As we’ve seen with the release of QuickBooks 2016 R7, Intuit has started requiring that all users have a “complex QuickBooks password”  in some but not all cases. If you upgrade your file from a prior version (a prior year of QuickBooks, or a 2016 version earlier than R7) you may see this kind of message:

Complex QuickBooks Password in QuickBooks 2016

A Complex QuickBooks Password is a password that has at least 7 characters, and it includes at least one number and one uppercase letter.

A key issue that has some people upset is the requirement to change the password every 90 days. It’s bad enough that you have to create a harder-to-remember complex password, but you also have to change it every 90 days? And you can’t just switch back and forth between two passwords, you have to go through about five different passwords before you can repeat one again? What a pain!

However, you don’t necessarily have to change every 90 days. As I’ll discuss below, sometimes this is required, sometimes it is just recommended. This is an important point that is being missed in many of the discussions I’ve seen.

Note that this is how it works in QuickBooks 2016 and 2015 in the most current updates. Users of QuickBooks 2014 and probably 2013 won’t see “recommended”, they’ll see “required”, at least for the time being.

Another aspect of this update, if the Admin user is required to have a complex password, is that QuickBooks is going to require that all user accounts in this file have a complex password.

Additional users need passwords

This window says that passwords are strongly recommended, but in my testing so far I’ve found that these users must have a password, and that it must be a complex password, or they can’t log in.

I don’t like Intuit’s suggestion that you delete inactive user accounts, though. As it stands now, if you delete a user then that user name is deleted from the audit trail. The audit trail still shows the transactions for that user, but you can’t tell which user created them. Until Intuit fixes that I generally don’t recommend that you delete a user account.

Why Some People Are Upset

There are lots of reasons why people don’t like this update, some reasons are more valid than others in my eyes. I do feel that too many businesses are lax with security. I’ll extend that to some accounting professionals as well, who should know better. All too often we see situations where there are no passwords at all, or people use passwords that are worthless.

Some reasons why people are upset:

  • What if you don’t feel that you have critical information that needs to be protected? Some people use QuickBooks for very simple tasks, they don’t feel that passwords are needed. But Intuit is making that decision for you.
  • Why complex passwords? These are harder to remember, and people are more likely to just write the password on a sticky note stuck to the monitor.
  • Changing every 90 days? If that is required (and it isn’t always, depending on circumstances) it creates a huge hassle in keeping things up to date, and remembering the latest password.
  • What if your business runs multiple QuickBooks files? Your user login is set per company file, so every user has to remember a complex password for each separate file.
  • What about accounting firms where you may have a large number of separate QuickBooks client files, but also could have a large number of employees/users who are accessing those files? Management of that many files and users can be a major chore.
  • On a personal note, for someone like me who is testing QuickBooks in a wide variety of configurations, this update is a pain in the rear. But that isn’t something that is significant (other than to me).

What Triggers the Need for a Complex Password

A lot of the confusion here is that up to now, you only needed a complex password if you were dealing with credit card information. Now people without credit card information are seeing this, and it is very confusing.

Now there are two classes of triggers for the complex password requirement in the QuickBooks desktop security update: customer credit card information and personally identifiable information.

Customer Credit Card Information

We’ve talked about PCI compliance on multiple occasions, where (I’m summarizing quite a bit) if your business stores client credit card information in your files you have to protect that information. It makes sense that if you are storing credit card information then you should have a complex password for anyone who has access to the data.

If you enable Customer Credit Card Protection (an option in the Company menu) then you must have a complex password, and you are required to change them every 90 days. This makes sense, and QuickBooks has worked that way for some time now. Supposedly all files that had this feature enabled before this security update already had this kind of password set up, but now QuickBooks is checking all user accounts in the file to make sure that they are set up properly.

QuickBooks customer credit card protection

What is changed with this security update is that you are required to have a complex password for all users even if you have not enabled Customer Credit Card Protection. If you have stored credit card information in any customer record in the file then you must have a complex password. However, the requirement to change it every 90 days is not required if that feature isn’t enabled.

This is one of the changes in this update that is upsetting some people – they may have some credit card information in a customer record, somewhere, and that triggers this requirement. You can find those customers and delete the information to get around this, but there isn’t a report that I’m aware of that will list the customer and their credit card number. It can be painful to find that one customer record that is setting this feature off.

As a side note, when setting up a user in QuickBooks you have an option to allow them to view complete customer credit card numbers. I’m showing that option in Premier in the screen shot below. This apparently has no effect on this security issue, because if I un-check this box then the user still must have a complex password. Too bad, this would have been an easy way to let some users into the system without requiring a complex password, since they can’t see this credit card data.

This option doesn't help

Personally Identifiable Information

If your file has Personally Identifiable Information (PII) in it then you will be required to have a complex password for all users, but you will not need to change them every 90 days in QuickBooks 2016. At this point I believe you still need to change every 90 days in QuickBooks 2015 and 2014, but that requirement may change in the future when Intuit brings those products up to the same level as 2016.

What kind of information is considered PII? I’ve found that it is very rare to have a file that does not have PII. According to the Intuit security KB article, PII is:

  • An employee record with a Social Security Number. Note that this is true even if you aren’t using Intuit payroll.
  • Any vendor record with a Vendor Tax ID, even if you aren’t processing 1099’s.
  • Any “bank” account in your Chart of Accounts with a Bank Account Number or a Routing Number, even if you aren’t using online banking.
  • A Employer Identification Number (EIN) or Social Security Number (SSN) in your Company Information.

That covers every client company file that I work with, and pretty much every test file I’ve set up.

Note that if you turn Customer Credit Card Protection off and remove all of this Personally Identifiable Information, you are no longer required to have a complex password. And, again, the 90 day renewal should only be required if you have Customer Credit Card Protection enabled.

QuickBooks Desktop Security Updates Versions

This security update only affects the Windows versions of QuickBooks desktop, including Pro, Premier, Accountant and Enterprise. You won’t see this issue in QuickBooks Online or QuickBooks for Mac.

It affects all of Intuit’s supported national versions, including the US, Canadian and UK versions.

Beyond that you need to look at the year and the revision of your product. To see this, run QuickBooks and press the F2 key to open the Product Information window. This will show you the year and release of QuickBooks. For instance, this is the 2016 release, revision R7_114.

SNAGHTML5784ddd

Generally when we talk about a revision we are talking about the first part of that R-level notation. This would be release “R7”, for example. You generally have to approve the installation of an R-level update, such as moving from R6 to R7. Intuit provides some information on what these updates contain when they come out, listed in their support website. I try to let people know about these updates when they occur.

Intuit also has an “background” update mechanism that can install updates without you having to specifically approve installation (although you must have Automatic Updates enabled for this to happen). Usually Intuit doesn’t notify us about these background updates, and usually they don’t involve significant changes (except in this case!). The number after the underscore represents the level of the background update – in this case you have the “114” update to R7. Often I don’t pay a lot of attention to these background updates, but in this case this is important information.

Here are the versions of QuickBooks that have implemented the QuickBooks Security Updates. If you don’t have the full revision number listed, or later, then you don’t have this update.

  • QuickBooks 2016 R7_114
  • QuickBooks 2015 R10_15
  • QuickBooks 2014 R11_40

QuickBooks 2013 and older are no longer supported by Intuit, and they told me that this year of product doesn’t have this security update. Note, though, that at the time I’m writing this the Intuit security KB article states that this update also was released in QuickBooks 2013 R18_4.

However, note that at this point the 2016 and 2015 products differ from the 2014 and 2013 products. In 2016 R7 and 2015 R10 if you don’t have Credit Card Protection enabled you are not required to change your password every 90 days. That will be “recommended”, not “required”. In the other products you may still be required to change it every 90 days if you are forced to have a complex password. I expect that this will change at some future date when Intuit brings those older products up to speed with changes in 2016, although I can’t be sure.

Note: When this article was published initially, only the 2016 product had this feature. Shortly after publication Intuit updated the 2015 product to include it also.

What Intuit Says

According to Intuit:

Intuit has identified, and is implementing updates to address a security vulnerability in QuickBooks desktop software. We are proactively notifying customers of the steps required to install an update, which is designed to address the security vulnerability, and regarding other steps they can take to protect themselves and their data. To help protect customers, we don’t disclose specific details about security vulnerabilities that we discover. This information could be used by criminals to find and take advantage of the vulnerability. At this time, we know of no cases where anyone has taken advantage of this vulnerability to obtain sensitive data.

What Can You Do?

There are only two ways to avoid all of these password requirements: Don’t install this update or remove all of the sensitive information from your file (and turn customer credit card protection off).

Neither of these approaches are practical in many cases. Sure, you can use a third-party setup to keep customer credit card information out of your file – in fact, I recommend that highly. Don’t have credit card info on hand at all, use some outside service like Bill and Pay or Bill.com to handle that, it will save you a lot of headaches. But if you are using an Intuit payroll system, sending vendor 1099’s through QuickBooks, using QuickBooks Payments, or using bank feeds, you are going to trigger this security issue.

I generally don’t recommend that you freeze your QuickBooks installation at a particular revision. Intuit is always working on bug fixes and reliability updates, so it is (usually) best to keep your product up to date. I do often recommend that you wait to install a revision until we are sure that the revision doesn’t cause more problems than it will fix, and on occasion there have been some updates that I tell people to skip. But even if we recommend skipping a revision, you are going to install a later revision down the line. With this security update I don’t see Intuit backing off or making really large changes down the line. I could be mistaken on that account, but from what I see this is going to be the way it works moving forward. So you are eventually going to want to install an update that has this change in it, someday.

As far as removing all the sensitive data from your file, for most businesses that just isn’t practical. And, you probably need to do this before you update to these revisions. Once this level of security is enabled, I don’t believe that you can back out of it. Removing the sensitive data after the fact probably won’t rescind the extra security. Updated 7/8/2016: Intuit confirmed that if you remove all PII and credit card info, and turn Credit Card Protection off, the complex password requirement will be removed.

So it looks like we are stuck with it, pretty much.

For those accounting firms that manage a large number of client files, I recommend that you look into a password management program like LastPass or RoboForm. These products can save you a lot of headaches when tracking multiple passwords.

My Thoughts On the QuickBooks Desktop Security Update

Yes, this is a pain in the rear to deal with, but data security is a important issue that many businesses tend to ignore.

I’ll go out on a limb here, and I’m sure that some people won’t agree with me. I recommend that you install this update and accept the higher level of security. It is going to be there in all releases moving forward, and it isn’t a good idea for people to stall their installation at a particular revision level.

Data security is important and this update is addressing, according to Intuit, a “security vulnerability”. I don’t have any solid information about the security vulnerability that they have identified, so it is hard for me to evaluate the need for a change like this. However, there are a number of clues floating about and I think I have a handle on at least one aspect of this. If I’m right, then these changes are a good idea, although Intuit may have taken the issue a bit further than we all would have liked.

With a desktop product like QuickBooks your security exposure is very different than with something like QuickBooks Online. You have a better chance for “physical” data security – controlling access to your computer network, preventing unauthorized access to files, implementing good password controls and so forth. But, is your data totally secure? When I visit businesses that use QuickBooks and look at their procedures I often find that they aren’t really taking enough precautions with their data.

So, Intuit is forcing everyone to implement a higher level of password control if there is any kind of information stored that should be protected. And I’m guessing that we’ll see some more changes in the future that focus on data security (hopefully not as intrusive as this one).

I do have some issues with how Intuit has implemented this security update, though:

  • I don’t think that Intuit did a good job in notifying people in advance about what the changes would be. In particular, I would have liked to see Intuit do a better job in communicating to ProAdvisors what the changes would be and why they were being made, in advance of the release. Some notifications went out, but the full impact of these changes weren’t apparent. This caught a lot of people by surprise.
  • It would have been helpful if Intuit had made this an optional feature. You can choose to implement Credit Card Protection, for example, couldn’t they also extend that in some way to allow us to opt in for protection of Personally Identifiable Information (PII)? Let the users opt in (or at least opt out) of this additional security. Intuit is making it clear that they are putting security first, to protect their customer’s data, but we still need to have some control over our business flow. And, I’m well aware that many people will turn security features off even if they shouldn’t, so is this the best way for Intuit to go? To force everyone into a higher level of security?

I’m concerned that these changes, as they stand now, are going to either make people not update their program (which is a bad thing in the long term), or to turn to less secure ways of dealing with these passwords. More sticky notes with passwords, less secure passwords (company name with a date, or something like that), accounting firms using the same password for all of their client files, and so forth.

I wish that Intuit had a better way to deal with passwords like this, but a lot of the suggestions that I’ve heard from people are just too technically complicated to implement in QuickBooks desktop.

Many product treat user accounts very differently than QuickBooks does. User logins aren’t associated with just one company file, you will often have a user credential that works across multiple individual files. That, along with changes in how preferences are managed, would go a long ways toward resolving the issues of this update. However, that would require a major overhaul of QuickBooks, and the thought of that scares me. QuickBooks is an old product, and it seems to be really sensitive to major changes. The work it would take to make this kind of change would be significant, and even if Intuit wanted to spend the money and time to do it, I would be very, very worried about how this would affect the reliability of the product.

For accountants, we have the QuickBooks File Manager. It helps by managing client files and storing passwords. I don’t see a lot of people using that, to tell the truth. It is an underdeveloped feature, last I looked at it the multiuser functionality was very poor (almost nonexistent). If we are going to accept the security updates as they exist, it would be very helpful to accounting professionals if Intuit would put some significant effort into improving the functionality of QuickBooks File Manager.

So, what do you think? Leave a comment here so that Intuit can see. How would you change this update, how important is this kind of security for you, why is this update a problem for your business?


Save pagePDF pageEmail pagePrint page

About the author

Charlie Russell

Charlie Russell has been involved with the small business software industry since the mid 70's, and remembers releasing his first commercial accounting software product when you had an 8-bit microcomputer with one 8 inch floppy disk drive. He has a special interest in inventory and manufacturing software for small businesses. Charlie is a Certified Advanced QuickBooks ProAdvisor with additional certifications for QuickBooks Online and QuickBooks Enterprise, as well as being a Xero Certified Partner. Charlie started blogging about QuickBooks in 2008 (Practical QuickBooks) and has been the managing editor and primary writer for the Accountex Report (formerly the Sleeter Report) since 2011. Charlie can be reached at [email protected]

Visit his CCRSoftware web site for information about his QuickBooks add-on products. He is also the author of the California Wildflower Hikes blog.

161 Comments

  • Thought you might want to mention ‘3 Party-App’ User accounts, set up so that each 3rd party product using the SDK for access is traced by its own user account. These user accounts are also popping-up in the notification about no complex password….

    • Thank you, Murph. Good point. But it’s more than just the user passwords for addons, they also have to re-authorize their apps (as I mentioned in another article). I’m still investigating some odd issues with that, perhaps for another article.

  • I don’t care if Lizzy from Ohio has 50 billion worms on her computer from looking at porn all night… Lizzy isn’t me, and it’s up to Lizzy to clean her stuff up. It isn’t for Intuit to set the security other then the law. So that was credit cards ( which apparently is defeat-able with anyone that can figure out how to type keylogger into google.)

  • It would be nice, of course, if Intuit let their customers decide if they want stronger passwords (when not legally required). A simple checkbox in the settings would do. The vague statements about patching security issues would make any Intuit watcher suspect that this is about Intuit’s own security gaffs. Probably rather than implement modern encryption standards for passwords inside the QB file, they are making users change passwords every 90 days. Just ask Intuit how they encrypt passwords. They won’t answer, I bet. Apple will. Oracle will.

  • Charlie
    The EU has what it terms its “General Data Protection Regulation” which was first implemented in 1995 as the “Data Protection Directive” and incorporated by each EU state into their individual legislation. This directive required each EU state to pass into law the core requirements of the directive that governs how personal data is allowed to be collected and stored. Importantly, it states what data is allowed to be held and how individuals can ascertain what data is held by each organisation.

    The UK was one of the first to codify this in 1998, but only set the maximum fine for breach at £5000. Others such as Spain set the fine at the maximum in the directive at €600,000. The UK did later increase this to £500,000 under the 2003 Privacy and Electronic Communications Regulations.

    This article at Wikipedia (https://en.wikipedia.org/wiki/Data_Protection_Directive) shows the basic implementation of this and its successor this year (2016). There are plenty of other references but they tend to be written in more legal language than most people are able to understand properly.

    • Thank you very much, Chris. The security update in these releases should apply to the UK version of QuickBooks as I understand it.

      I didn’t go through the Wikipedia article in detail, but it does say that the business has to securely protect the information if it is there. That would cover SSN information (I don’t know what the equivalent would be in a UK or Canadian version of QuickBooks since I don’t have those). That wouldn’t cover the company’s own SSN or EIN, which triggers Intuit’s security feature. I’m wondering, in the EU case, would just having a person’s mailing address, or a business address or email address (etc.), invoke the EU security requirement?

  • I’ll have to side with Brian.
    Data security is my responsibility

    Two states have made PCI-DSS a law, WA & AZ, but those states did not make non compliance a criminal statute. Other wise non compliance with is a civil issue unless negligence can be proved, then criminal prosecution can happen.

    The real issue is the heavy handedness of intuit. Provide me with tools to use – that is great. Force me to use your tools your way – that is not.

    As a side note, complex passwords, on state and federal sites I deal with, require a minimum of 8 characters, with at least one number, one upper case and one special character.

    • I don’t know that there is a universal definition of “complex password”?

      I can see having the requirement if you have credit card info, but I think that Intuit’s PII definition takes things too far.

      • Hi Charlie,

        While I think your article is important to ProAdvisors in understanding Intuit’s stand on Security implementations and procedures for Password Protection, we disagree with your comment that: ” I think that Intuit’s PII definition takes things too far.” It actually probably does not take it far enough.

        If one reads the Security Software Codes per Marketplace that Intuit wants to do business in, i.e. USA, EU, AU/NZ, UK solo, etc., one will understand that some of this has to do with assigning or mitigating issues, responsibility, and liability, while providing the Security Layers which provide some form of protection not provided by most ProAdvisors to and for Small Business Clients.

        Most SMB’s do not have the IT Infrastructure, let alone the Accountants, etc. who understand the risks to which they expose their Clients, themselves, or the Software Vendor, respectively.

        Intuit is therefore forced to take this stance by the nature of it’s Clients, ProAdvisors, and it’s Customers, ProAdvisor’s Clients, and ultimately Small Businesses without the understanding and resources to do otherwise. It is all a very tough call with IoT’s!

        We respect Intuit in it’s decision and to hold fast, it must protect itself, because the same folks who claim Controls, will be those who assign Legal responsibility, upon the first Risk and Failure.

        Also, there are Password Standards in the Security Industry, and they have been applied to Software Vendors and AICPA Security Standards, alike, etc. All one needs to do is educate themselves and/or their Clients through classes with AICPA, RSA, UPGuard, Virtu, Okta, etc. and many more, to understand password value.

        We do not mean to criticize your analysis, but we recognize that the world of Intuit has become much more complex with the Internet of Things (IoT’s) and the Hosting environment of QBDT.

        Hope you will appreciate this comment and consider it’s merit.

        We believe everyone these days needs to consider Security, Privacy, their responsibility, role, and prepare accordingly.

        Respectfully,

        Tamra

        Tamra Groff
        Senior Consultant
        Groff & Associates / GH Financial Group

        • Thank you, Tamra, I always enjoy reading your analysis of issues like these.

          Let’s be sure to separate QuickBooks Desktop from QuickBooks Online. The desktop product isn’t in all of the markets you identify – it is only in the US, Canada and UK, and so the discussion should be limited to those countries.

          I still say that this issue wasn’t dealt with correctly. All of the points you bring up are worth consideration, but none of that has been brought up by Intuit as a reason for these changes. All I’ve gotten so far are vague comments about a security hazard, some references (in the past) to PCI compliance. If Intuit was truly considering all of these other issues then that should have been part of their explanation of why this was being done. Instead, it comes across as “we know what is best for you whether you like it or not”, which is not acceptable. We should have a better explanation, and we certainly should have had more information about the impact of the change before it was released.

          And I still think that more could have been done to provide better control by the businesses themselves.

          • Hi Charlie,

            While I agree with some of your points, I want to clarify our experience and knowledge.

            1. We are only speaking about QBDT and this situation does not play into QBO, although Intuit does have some development and security issues there, as well, but that is another topic. QBDT runs on insecure Desktops, Laptops, Servers with IoTs access, etc. and varies forms of Hosted enviroments, etc. All are exposed to potential risks.

            2. Unlike many in this stream, we are very active Global Consultants, traveling and working at Client sites. You are wrong. QBDT is pervasive in India, some countries in South America and Africa, namely South Africa, the Ivory Coast, and other equatorial African countries. And some in Sinapore, Phillipines, Japan, and Russia, etc. too. This is because they all speak English fluently, as it is still the International Business Global language, used when one does not have a local language in common. Typically, these businesses using QBDT have Addon’s, some development with QBase, etc. and varies forms of Multicurrency workarounds. They all have access to or host on the Internet. Security is a daily risk.

            3. As far as Intuit, they are at fault for not being Transparent enough. They are not the best company at communications and their fear of loss or competition often gets in the way of their own progress or approach to education.

            As far as rolling out or them having a, as you stated: “we know what is best for you whether you like it or not” attitude, they really have their backs to the wall with legal, risk mitigation, compliance, mandatory requirements, etc. And if any Accountant were to get wind of or know how easy it would be, right now, for them to sue or hold Intuit harmful, it would be a free for all or fully employment for Security Lawyers to take down and make an example of a non compliant Financial Software Vendor.

            Other Vendors would laugh with glee.. We see if they lose a few Accountants, Pro Advisors, and/or Clients for non compliance, that’s actually great, because then they have no risk of liability and then it all falls on the Accountants, ProAdvisor, Users or Clients for using outdated software, when offered an alternative update or upgrade to comply.

            It is very tough for Financial Software Vendors worldwide.

            We do agree that the approach, lack of education, preparations, and ultimate implementation could have been handled differently. But then we are talking about Intuit’s choice.

            There were other options for a Security layer, Protections, and/or alternative Password Management, etc. but Intuit has put it’s focus and investment towards the Cloud and QBO only maintaining limited upgrades to QBDT.
            And other or various technical approaches is another conversation, not for this post or looked at by Intuit.

            Also, excuse my language, but when one does something Half-A.., it comes out or across the same way!

            They did this with the first go around at QBO and Multicurrency for QBO. It took three tries to get it somewhat working and flying.

            Intuit does not listen and they really are declining in the Industry based on their actions. We wish they would get a real clue.

            Meanwhile where else will these Accountants, ProAdvisors, Users and Clients go?

            Wake up, Security measures are everywhere, in every Desktop App., that is still supported by legacy financial software companies.

            Hope you understand Charlie, I respect you. But, pease be careful of Intuit’s wrath or miscommunications’ international ;-)…

            Enjoy our debates. Thank you for sharing.

            Respectfully,

            Tamra

            Tamra Groff
            Senior Consultant
            GASC / GHFG

  • Single user. No credit cards. Business done with PO’s. I deserve the right to choose how and what I will do for my own business. This is officious of Intuit and will disenfranchise their customers accordingly. Other suggestions for software? Unless they fix this, I am looking for a better company.

    • Look into Xeno…they will also transfer your QB info to their software and they provide FREE payroll for 5 employees.

      • Can Xero transfer the data if your QB file is encrypted? I suspect that Intuit put the password requirement in place specifically to make this hard.

        • No “encryption” here, just a password requirement. No effect on the ability for Xero to transfer your data, just like there isn’t a problem with third-party addon products to access your data with Admin user permissions.

  • Two notes to add:

    1) I updated the article – Intuit says that if you remove the “trigger” information, the security requirements will no longer be in effect. Remove all PII and credit card info and turn off CCCP, no complex passwords are needed. Still have PII and credit card info but turn off CCCP, then the 90 day requirement is gone.

    2) I haven’t tested this yet, but Big Red Consulting is listing a free report tool that will go through your file and list any PII information that it finds. That would be a helpful tool for people considering “cleaning” their file before updating. See the info at http://bigredconsulting.com/qb-pii-report/

    • Thank you. This is extremely helpful. For anyone trying it, a small addition to the instructions: If you don’t already have add-ons installed, you may have to restart Excel to see the add-on toolbar that has the report tool (I did in Excel 2013). Also, you will want to have the Quickbooks file you want to analyze already open before you run the tool. Worked great for me.

    • At the risk of sounding unappreciative for BRC’s tool, I ran it and removed all PII that it found. It made no difference – QB still would NOT allow me to remove the password. The problem here is that Intuit has not provided their own method, within QB, to explain why they are requiring the complex password. I am EXTREMELY upset with their decision as I don’t have PII or CC data in my file. If they would enhance QB to provide a report based upon THEIR criteria so customers like me can remove whatever they believe is PII, then I would be happy. Everyone suggests sending feedback through QB. I have done this every time I open the file and need to enter a password. I’ve never received a response and frankly, I think they’re receiving so many complaints that they just stopped reading them. The issue for me isn’t about security, it’s about implementing the feature in a way that doesn’t provide enough information for people to determine how to disable it.

      Wake up Intuit!!!!!

      • The Big Red tool is limited by what the QuickBooks programming interface allows programs to see, and I believe that there are some triggers in the database that aren’t visible to add-ons. Also, there is some historical implications here, what kinds of things that you may have done with the file in the past that leave a trigger in place. It is a free app, which I applaud them for, and it does help some people.

        I disagree with your assumption that they don’t look at the feedback. They are aware of it.

  • For new files at least, to avoid the new password requirement do you think it would work to create custom fields for SS#/Tax Id or other triggering info and leaving the official field blank? I know that wouldn’t work for everything (like online banking), but it could work for some needs like producing 1099 reports – adding the custom field column to the report.

  • My comment to Intuit is short and sweet, reverse this update or I will not purchase any upgrades.

    Also all my files use the following password QuickBooks1, I will change it to QuickBooks2 in 90 days if required.

    • I have decided to block ALL automatic updates until this fiasco gets fixed. I cannot afford another disaster that affects my ability to run my accounting business.

      • Note that if you are using the Accountant version of QuickBooks then you can’t turn off the automatic update feature. You can choose not to install an update when available, but then you get nagged every time you open QB

  • Shall we consider that this latest justification is a good example of moving the goal post? Last week they were saying it was because the IRS was making them. Well, if this is so, I expect all accounting packages are implementing this. Is that the case?

    But now it is because they’ve identified a potential security flaw. Passwords cannot prevent security breaches in electronic files. They help prevent security breaches by personnel. Hacks target executable files. If there is a hack that somehow leverages data (think SQL injection attacks) then they need to patch the data file, but a password will not protect against such hacks. How could it? Eventually some user will get into that company file.

    Allowing access by user and password to data files is the job of administering a system. It is NOT Intuit’s responsibility. It is swell that they offered passwords as an option. That’s smart. Requiring it is ridiculous. You suggest using a password vault. I couldn’t agree more. Everyone should use one, and should use secure, surrogate (no words or phrases even if d1sgu153d) passwords, but that will not help with what is the pain point here. It adds a layer of false security that will leading to less secure systems as people work around this.

    It’s illogical, their argument is incoherent, irrational, and makes no technical sense. It is, however, infuriating.

    • I hadn’t heard them saying anything about the IRS in relation to this, but perhaps you saw something that I didn’t. As far as I’ve been watching this, it has always been a security issue.

      Actually, in the case of QuickBooks, your comments about passwords and file access aren’t entirely on base here. In general, the QuickBooks database isn’t directly accessible via SQL. Direct database access is locked down (to the chagrin of add-on developers). To get to the database you have to use the QuickBooks SDK, and if password protection is enabled then an addon application is going to have to use a QuickBooks user account that has a password associated with it. So, adding a requirement for a password does indeed significantly change the security of the file in relation to outside products accessing the files.

      Intuit hasn’t told me the specifics about the “security vulnerability” so I can’t do a detailed technical analysis of this situation, so I have to take them at their word. I do know that along with this update there have been changes that relate to data access by add-on products, and I have some suspicions about the “security vulnerability” based on a number of clues. I believe that the password requirement does improve the security of the database, in this case.

    • It would have been nice if I had been provided an OPT OUT of this disastrous update fiasco. I have handled my own security for 20 years with no issues…now I have a QB NET NANNY that I have learned to HATE.

  • I won’t lie, I used system restore on my computer to go back to the R6 release and used system restore on my company files ( it required me to re-enter post password required data to fill the gap between the time I installed the R7 update and after ) it took a while, I then went in and turned off most of the auto update features in quickbooks, removed the patch directory. If you only had 5 changes since their awful update it isn’t to bad. However it gets cumbersome past that point…it isn’t something I’d recommend for a novice but with that said, Intuit can dig their grave while I enjoy the old comforts while finding a replacement.

  • Excellent article, Charlie. I am a long time user of QBP with a secure home office, one secure computer, one employee (me), two company files, no credit card data, and no use of Intuit’s online features. I cannot get away from the excessive password requirement because each of my company files has its own Federal ID number, QB has my own FID, and there are bank routing and acct numbers.
    We all have the OPTION in Windows to protect our computer usage with facial recognition or some other form of password. We can turn on security (or not) that allows us to use our computer. This security choice is at the user level. Once we are into our system, we can use MS Office and work with Outlook, Word, Excel, and the other apps. We do not need to enter a password to use each of these applications.The individual documents and files can be password protected or not, user CHOICE. The analogy to the update from Intuit requiring passwords for each company file is like Office REQUIRING passwords for each app or even for each document or file. It’s absurd!
    Intuit, return to us the capability to control our own security. Don’t mess with my system that is apparently a lot more secure already than your own.

    • Fred, the comparison of Microsoft Office to an accounting product, QuickBooks or otherwise, doesn’t really work. A collection of disparate documents is not a financial database, and you aren’t (or shouldn’t be) storing your businesses confidential data in them (particularly not customer credit card information).

      I’m not arguing about Intuit’s decisions here or how they implemented this, just that your example doesn’t apply, in my mind.

      • Charlie, I appreciate your comments. My point is from the user perspective. Once a single user starts the single user computer, the single user should have gone passed all the security needed to use anything on the desktop. As an OPTION, the user can add additional levels of security as he/she wants for his/her personal computer. When the user then opens a desktop application like QB and is required to pass an additional level of security for each company file, it is the same user action as if MS Office required a password for each of its components, Word, Excel, etc. To the extreme, Word, Excel, etc allow the OPTION of setting a password on every file in the respective folder’s database. A QB company file is one element of the QB folder under the Windows database, just as a Word doc is one element under the Windows database. Intuit needs to make this security requirement a recommendation.

        • While I agree that this security update should have been implemented differently, I still don’t agree with you on the comparison with Microsoft Office, Fred. We’ll have to agree to disagree, I guess. Keep in mind that QuickBooks can be a multi user system sharing data amongst different users, that in accounting offices you may have different people in that multi user environment and that some will have access to one set of company files while others will have different accesses. I just don’t see the parallel between multiple apps that handle different kinds of documents that typically are unique to the user (and that shouldn’t contain sensitive info unless protected further) and a QuickBooks database shared by multiple people that almost always will have sensitive information, with different levels of access for different users. Perhaps I’m too much of a programmer, I think of things from that viewpoint.

          • Charlie: The MS Office applications allow setting a user password on each and every document, and the user can have a separate password for each doc, if he or she chooses. It is an option, not a stupid requirement. You mention that Office folders should not have sensitive info. How about contracts between companies with Federal ID’s? How about W-9’s? Where would you put these things if not in a MS Office Folder? How about copies of QB payroll reports that have been converted within QB to PDF files? Anyone can open these without opening QB.
            And, I’ll bet there are a lot more single users of QB in small businesses than employees in accounting firms that have access to some company files and not all. The requirement should be optional. As others have said, I will run my own business, Intuit. Butt out.

          • Like I said, we’ll have to agree to disagree. I don’t equate working with Microsoft Office where you have individual records as separate files, usually (although you can have a “database” in Excel or a Word table) with a financial database like QuickBooks. Different operating characteristics. I do agree that the user should have more control over security in QB.

          • I agree completely with Fred here. Sometimes I use QB’s for absolutely nothing but shell balance sheets and income statements. On the other hand, sometimes I use Excel to keep confidential information. This should totally be up to the user, completely optional. This shouldn’t even be a discussion.

  • We all know that changing a password has nothing to do with its complexity or vulnerability. Stupid update.

  • The newest release has been hard coded to enter a password for every file. Our business is bookkeeping, which we perform for over 100 clients using QB Accountant’s Version. To have to set a password for every file, which by the way does not have a Merchant Account or Payroll attached, and then have to change it every 90 days is the most ridiculous idea that has been implemented in a long time. There should be a option to either elect this feature or to opt out. We have had to reinstall QB 2015 on all our PCs to eliminate this newest release and will not be updating again until this decision has been reversed. Intuit, please do not try to run my business. I will take care of security myself.

      • That remains to be seen. I do not have CC Protection enabled (and no credit card info in any of my company files) but I was warned I would have to change the passwords again in 90 days. I also work with 100 plus files with eight staff members. I was SO happy to pay employees for three hours of password changing tasks..bad form Intuit.

        • And, maybe I do this all wrong, but I open two different company files multiple times a day always having to enter the password for each file as I switch from one to another and back again. I can only imagine 100 files and 8 people working with them. Where is the tall buiding? I want to jump off.

          • We use file manager here (which works great) so it’s not much of a hassle on a daily basis but I am not happy to be forking out over $300 in wages to pay people to change all their passwords in QB every 90 days.

          • I’ve not spent a lot of time with the QB File Manager lately, so I’m not sure where it stands. The last I looked, it was lousy as far as how it worked in a multiple user office, since each user had their own copy of the “database”. So changing a password for a file on one workstation wouldn’t propagate the change to other workstations. Has that changed?

          • Hmmm…not following. Each of my users has their own file manager that they log into which then opens the QB file for their user. My staff doesn’t change workstations so it is not an issue. We are also in the clouds so each person logs into the virtual server and the file manager sits on that server for each user account. All the passwords still have to be changed in each QB file for this new requirement, which makes me mad because the file manager did what QB is now requiring – complex password that had to be changed every 90 days but then each user only had to change ONE password, the one for the file manager – NOT each individual QB file. Not only that – NONE of my employees knew their QB passwords before, I set them up and added it to the file manager – they only knew their password to the file manager. It was WAY more secure the way I had it set up before.

          • If you have multiple people working on the same client file, if File Manager isn’t sharing data easily, then when a password changes you have to go around to each of your people’s workstations and update the info there separately, last I checked.

        • If you can show monetary damages resulting from this change, then I believe you have good cause to take legal action against Intuit.

  • Tamara
    If you had not said that you were a consultant, I would have thought you worked for intuit.

    With your exposure to various countries, would you post a link to the LAW from any county that specifically requires the use of a password for access to accounting data?

    I can save you some time, there is no such law in the US.

    And that is what we are talking about here, requiring a password for computer access to accounting data – nothing else.

    Everything printed in the US refers to user responsibility to safeguard that data, that’s all.

    If intuit provides the option to use the complex password, they have met their responsibility as a vendor. The option to use that built in password requirement, or some other security method, is the up to the user, and should they fail to do, there are civil fines that can be levied.

    It is just like your auto insurance policy, you have a rider for theft of items in the vehicle. You park at the Mall, items are stolen, and in the police report you admit you did not lock the car. That admission allows the insurance company to deny your claim. They can simply because you did not take reasonable actions to prevent the theft – to wit, locking the car.

    • This is where things get murky, Rustler. I’ll admit that I’m not a lawyer, not an accountant, and I’ve not followed up on some of the concepts here because of time limitations.

      The IRS asks software developers to improve software security when sensitive material is stored. Now, I originally thought that this applied just to tax software, but I’m not entirely sure on that (not having done the in depth research). That isn’t a “law”, but should Intuit follow up on these recommendations?

      “Best practices” recommended by certain organizations say you need a higher level of security. If a software company doesn’t follow those recommendations, are they opening themselves up to a lawsuit? Or if an accounting professional doesn’t follow those, is there a liability?

      I don’t know. It is not clear. These arguments are for Intuit protecting themselves, not so much Intuit protecting the users, although you can argue (as I think Intuit is) that these changes are done with the consumer in mind.

      I tend to side with folks that say that it is the consumer’s decision here, at least to some degree, BUT it isn’t clear to me what specifications Intuit is REQUIRED to follow versus what they SHOULD follow in the consumer’s interest, versus what Intuit is doing to protect themselves regardless of what the consumer wants.

      I am certain that Intuit didn’t make this change just on a whim. They refer to a security fault, which is fine but doesn’t seem to totally fit the remedy they’ve issued. I think that issues along the lines of what Tamra and Chris point out (and others, in various other forums) must be a part of the reason. But Intuit isn’t, as far as I’ve seen, stated what these other reasons might be, if there are others.

      In any case, this is a great discussion, thank you all for participating!

      • If intuit was required to follow a requirement to force this “security measure” on the customers, logic would say that all desktop software that could hold “sensitive” data would also have that requirement. I don’t see that happening or being talked about on any of the SMB forums and message boards that deal with other software.

        Intuits terms of service already say that they are responsible for nothing, even if the program does math wrong, it is not their fault.

        And if there was a requirement in law, why has intuit not referred to it?

        Law is the issue, the security standard set forth in the merchant card holder agreement, the **suggested** standards set forth in PCI-DSS, are just that – suggestions. All say specifically that security of data is the responsibility of the user.

        If compromising personal security information was something that could generate a lawsuit, don’t you think that the massive data breaches that are happening would have class actions suits filed? The companies that have had massive data thefts, have not even had their card agreements canceled by the merchant, yet the merchant agreement makes it clear that will happen – at least the last time I read one.

        Best Practices say you need a higher level of security – true. And no one here or anywhere else is denying that we have the responsibility to safeguard customer data.

        How we do that is our choice.

        • “Required” is your word, not mine, as far as the IRS. I’m not saying that they were “required” to. And, as far as the logic of not seeing other vendors changing things, all I can say is that other vendors I’m talking to are evaluating what, if anything, they need to do. You may start seeing other products changing their ways later this month. But, this is all speculation.

          Again, I’m just speculating as to why Intuit has made this change, responding to what some other people have brought up as potential issues. We don’t really know all the reasons why Intuit made this change at this point, and I would like to know more.

  • I just want the option to lock my car or not lock my car. Intuit should allow us to make that type of decision ourselves. We are business owners, that being said, we carry the burden of securing our desktops where QuickBooks files are housed. It is up to us to secure the client’s confidential financial information. Intuit, get out of the way so we can take care of business.

  • Charlie,

    Thanks for your post. This change was a big issue to me when it first rolled out, so big that I had to post to the Sleeter.com forum. When the roll out took place, I had three files in particular that I had in process, two of my own company files and a file I use to track personal finances. The first two required PCI years ago and that was understandable. But my personal file that I have set up for online banking is what really irritated the “you know what” out of me. I tried to figure out why that file had to be password protected. Your article has since cleared that up. So, here’s my take. Intuit believes they have my best interest in mind by requiring me to password protect a personal file due to its use of online banking. That sounds like a police state to me. Telling me how to manage my personal file is abhorrent.
    And in your article, or Intuit’s statements, neither offered an exception for those who use a hosted desktop like Right Networks. Unless you’re going to suggest that using the hosting companies is as vulnerable as keeping the data in my office, I believe I have already done my part to protect my client’s files, as well as my personal files.
    As I stated in my Sleeter post, Intuit has greatly overstepped its responsibility for data protection. The option to password protect, or not, should be mine. I hope that before QB Connect and Accountex they will get this corrected, if not sooner. They want us accountants and ProAdvisors as partners not adversaries.

    • Jim, things are confused enough just talking about QB Online security versus QB Desktop security on your local system, without getting into the confusing issues of security when working with QB Desktop in an online environment (hosted), or QB Online with a desktop app, or QB Desktop with remote access of some sort. There are many, many different situations as far as security is concerned, and it isn’t a simple subject. I think that we need to address the most common situations – QB Online in the normal sense, and QB Desktop in a typical use. Once we settle those, then we can start worrying about the variations.

      One can argue that desktop data in hosted environments aren’t necessarily safer, or more at risk, than data in a desktop in the office. The issues are similar but there are differences. Without going into a long discussion, the hosted environment MIGHT expose your data to online hacking to a greater degree (not necessarily), but then it also protects your hardware from direct unsecured access. So there are some increased exposures and some decreased exposures. I think that is a separate issue from the password requirements for an individual desktop file.

  • Charlie, here is a possible scenario.
    assumptions, you own a business I want to buy, so I hire a hacker to get me the inside financial data. You shut down the computer at night so after hours external hacking is not possible.

    I gain entrance to your store after hours and turn on the computer
    I insert a cd, go the bios set up and change the boot sequence to cd first
    your computer boots to the desktop bypassing any start up password you may have set in place.

    I open each browser you have looking to see if any of them open with an email tab already logged in

    I start up QB, if my cd can not crack the password, I click I forgot my password and start checking email. Intuit sends me a one time log in valid for 10 minutes, so I use it and reset your password, QB opens, I steal all the financial reports I need and close things down. Then I delete the intuit email from both the inbox, and the deleted folder

    You come in, every thing starts normally, but you can not get QB to accept your password cause I have changed it, so you click I forgot my password.

    And yes there is utility to bypass and/or crack the bios password if you have set one, but most people never think about setting it.

    And those utilities are freely available on the net by the way, legitimate IT techs use them too.

    • And your point is?

      Data security is more than just passwords, simple or complex. Physical security, adequate backups, proper procedures, all that and more is very important. But that is the larger scope than just what is being discussed here.

      I’ll say it again. I would like to know what the reasons are that Intuit made these changes (I understand that they won’t tell me the details of the “vulnerability”, but there has to be more than just that). I would like to see a way for users to opt out of the higher level of password requirement (Customer Credit Card Protection was an optional feature, before this, and you had control). I would have liked it better if Intuit did a better job in communicating with ProAdvisors in advance to let us know what was going to happen with this update. And finally, I don’t recommend that people just decide to not install updates on a permanent basis, in general, because there could be key bug fixes in future updates that are critical to your business.

  • Hi all,

    After writing, following, and reading all your responses and poor Charlie’s task of fielding these questions, I though I would post some resources which might be helpful to all of you in learning about PII, PCI, and DSS, HIPPA, etc., it’s code ramifications to Vendors, adoptions by Countries and the requirements for Users.

    Users and Consultants (including all Financial professionals) are not immune from responsibility and/or the potential for legal liability actions against each other. Each should learn, apply to the best of their abilities some Security mechanisms, and check with their respective company’s Professional Liability Insurance to know how they would respond in any such action.

    We actually believe that Intuit is protecting itself first and by extension, ProAdvisors, and then Customers. We believe their implementation was poor and last minute, hence the 90 Days, etc.

    They could have implemented a secure, seamless, and communicative user experience, if they had wanted to spend the money to completely overhaul QBDT’s inherent subsystem structure. But they chose the fast, half baked, non communicative approach, and a simple way to comply.

    This is the real rub here…Get it, they are not committed to a legacy, desktop App., with no future!

    They are not willing to Investment any money in rewriting a Desktop App. to comply with Security requirements such as PII, PCI, and DSS, etc. And, if the ProAdvisors uses legacy, unsupported products, then ALL the responsibly falls to them and their Users, respectively.

    Problem solved for Intuit! Not responsible for ProAdvisor and/or User actions. Intuit is cleared!
    The Financial Institutions, such as Banks, etc. will bypass the Software Vendor’s deep pockets, in any action that they can clearly show use of non-compliant Apps., and assign responsibility to Users instead. Users and Professionals will have to take it up with each other.

    It is important, in this new IoT’s world, to educate all on PII, PCI, and DSS, by extension HIPPA, etc. The Standards and Codes are only getting more intense as time goes on and unique by Country.

    Here are some very informative sites:

    https://en.wikipedia.org/wiki/Payment_Card_Industry_Data_Security_Standard

    https://www.pcisecuritystandards.org/pci_security/glossary

    https://www.pcicomplianceguide.org/

    http://resources.infosecinstitute.com/where-do-pci-dss-and-pii-intersect/

    http://resources.infosecinstitute.com/

    https://www.wombatsecurity.com/suggested-programs/compliance-program

    https://www.upguard.com/hubfs/UpGuard/handbooks/password_checklist_handbook.pdf

    There are many more resources out there as well. Too many to post here. Enjoy these sites.

    We agree with Charlie, Security is a series of measures, all which need to be implemented and considered Client by Client, User by User, Environment by Environment, etc. And, nothing is foolproof. But the action of trying to comply when presented it by a Vendor, is helpful, not disastrous.

    Flipping one’s finger in the air at a Vendor or reinstalling an insecure legacy product rather than understanding the situation is not productive. It is instead an opportunity for change!

    Clients do have the ability to take an action against any Professional they deem culpable for lack of Security measures and/or circumventing the Vendor’s recommended software upgrades for compliance.

    Hope all this information is helpful in understanding Intuit’s position, as well PII, PCI and DSS, etc.

    Sincerely,

    Tamra

    Tamra Groff, Senior Consultant, GASC/GHFG

    • I’m sensitive to lax security in my many environments, but I take some issue with your analysis of the updates in question here.

      First, the update forces users to encrypt their own data in a way that is not reversible. That has the key characteristics of a ransom attack, which actually criminal. It is true that unlike a classic ransom attack, I generate the password, but the encryption impacts my ability (within the license terms!) to access the data in *my* files without using QB. Whether or not they have some valid security claim, they cannot legally encrypt my data in a way that prevents me from exporting it to, say, a new provider if I want to leave QB. *Maybe* they could put that in the licensing terms for a new user, but they can’t retrofit those terms onto existing licenses. (I read their license and see that they have some broad terms in their about being able to force updates, but I don’t believe that Intuit can enforce those here precisely because they are so broad and this change fundamentally impacts what I can do with the program.)

      Second, your argument that QB users might have liability does not have any bearing on the question of whether users need to accept QB’s implementation of security. Security in all of these cases is the responsibility of the user not the vendor. The lack of transparency by Inuit in what they are doing, moreover, has the the potential to leave users open to liability issues where they exist. If we have specific encryption requirements for data, do Intuit’s implementation meet those standards? How can we verify? If we cannot verify, then we have to assume that the Inuit requirement is not sufficient and put in our own security measures anyway, making the Inuit level useless.

      Third, your completely ignoring the community of small business users who don’t have clients’ data on their machine. All reports I’ve seen indicate that the password requirements trigger even if only owner/user data is entered.

      • Poor example. There is no “encryption” here, just a password. You can still get your data. You can still export your data. No interference here. Ransom attacks won’t let you get your data unless you pay a fee. No comparison with this security update at all.

        • What is the password doing if not serving as a key for encryption? Is the file really sitting on the drive in the same state as it would have been before the password requirements? How does that provide any security?

        • Sorry to double post, but to be clear: I was *specifically* told by Inuit support that they “required” the password to encrypt my data. I was also *specifically* told that this would, by design, reduce or prevent third-parties from converting the file into another format. If what I was told is true, then I’m sticking with comparison to a ransom attack, with the “ransom” being that I have to keep paying Intuit for things that I do or could do myself or pay others to do.

          If that’s not true, then shame on Intuit tech support, but I’d have to examine the consequences of the change in light of any new information.

  • I am responsible for all data input for my small business. I accept credit cards but use an outside program for it.

    Passwords on one’s own hardware should be optional.

    Can anyone here recommend a good alternative to Quickbooks?

  • I own a single person business without any employees and do not conduct business on the internet.

    This password requirement is nothing but a major pain. I absolutely HATE companies who decide that I am too stupid to deal with my own computer security, and do it for me without asking.

    I did not purchase QuickBooks for their security, but rather for a good accounting package.

    Please Intuit, gives those of us who know the risks and assume the liability the opportunity to think for ourselves and remove the password option.

    • Please Intuit does not do it. Hey Intuit we will not purchase an upgrade until you give us the option to opt out of the password requirement is far better.

  • QB….I do not know who died and made you my NET NANNY! I should have been granted an OPT OUT choice for this disaster. Since the update I have had nothing but problems logging in and a severe lack of security having new passwords on post-its on employee computer screen all over the office….FIX THIS UPDATE!

  • Implement OPT OUT option or We will Advise all our clients to purchase another Accounting software which does not make decisions on our behalf

    • Advising your clients to switch accounting software is not going to happen and is probably a bad idea. Advising them not to upgrade to the next version (in protest) when it becomes available makes more sense.

        • Huh!!? Did Intuit announce they’re discontinuing desktop updates after 2018? Could you point me to more info?
          Thanks!

          • If Intuit UK is not releasing a new version of desktop after 2018, I can well imagine that most customers who require payroll will migrate to a company that does continue a desktop version that still allows payroll. I certainly haven’t seen anything as yet.

          • Chris, after checking with Intuit, I’ve found that your statement isn’t quite accurate. Intuit has decided to not sell “boxed versions” of QuickBooks desktop in the UK, in retail stores. However, they will continue to sell the downloadable version through telesales, their website and some other channels. There is no plan at this time to discontinue the product altogether. Just not making CD’s to sell physically. And this is just in the UK.

  • This security update isn’t just about ‘passwords’ it’s about protecting ALL ‘sensitive information’ in QuickBooks files and that means more than ‘Credit Card information’ it also includes Employee Social Security information, and Vendor EIN information, as well as your own tax numbers.

    Hopefully the encryption routine provisions associated with the new user password features have been applied across the sensitive data within QB, and if they ‘got it right’ it may prevent the types of encryption/decryption errors that have been prevalent in 2014, 2015 and 2016 versions.

    Lastly let me say, a lot of people providing comments in here seem to think that if they complain loud enough it will get changed, that isn’t going to happen. Intuit would have significant liability in having recognized security concerns, done something to protect/resolve those concerns, and then undoing what they did. It would almost be an admission that ‘we don’t care about file sensitive data security.’ They are taking the steps they feel makes the software secure and they view that as ‘far more critical’ than customer appeal in this issue.

    Now think about your own ‘liability’ if you fail to implement the security update, knowing it exists, and some sensitive piece of information is ‘hacked’ or ‘garnered’ from your system? I hope you have good business liability coverage.

    And as a ‘trusted advisor’, if you advise your clients against protecting their data, where does that put YOU, when something happens with their data in the form of sensitive information compromise. Again, I hope you have good ‘professional liability’ coverage.

    This ‘little inconvenience’ may not be a panacea of protection, exactly the same way that the new ‘chip cards’ are not a panacea, still the same as old Ben Franklin put it, “an ounce of prevention, is worth a pound of cure.”

    • This answer *maybe* applies to to people providing services to other businesses, but there’s a large body of users who only have their own information in these files. They have none of the liability that you mention because it’s their own data.

      The “fix” that’s been pushed here – including how it’s been pushed – seems more designed at making it hard for Intuit customer to move their customer files to other providers and dump Inuit completely than it does in any genuine sense of security. Intuit deciding to encrypt my data through an update is essentially a ransom attack. Ransom attacks are criminal.

  • Hi Murphy, and welcome to the fray. I think it is fair to say that everyone posting here understands that Intuit discovered one or more security issues, and, hopefully, got the fix right. However, I think your comments about Intuit’s laibility are a stretch. First, the greatest liability for Intuit was before the flaw was discovered since it was Intuit’s responsibility to be secure from the beginning. Once the flaw was discovered and (again, hopefully) fixed, Intuit’s liability decreased. Making the password optional would not have affected the liability since Intuit would have provided the fix and a strong recommendation to turn on password protection.

    Stupid customers like me who have two QB company files, on one and only one computer, in a home office with one and only one person, with no employees other than myself, who do not take credit cards, who do not use Intuit’s online services, who have only two EINs (my 2 companies) and zero EINs for clients and only one SSN (mine) in QB should be capable of managing our own security.

    People who like to fish want to fish where the fish are. The same is true for hackers. The reward for a successful hacker into my system is miniscule with one fish vs millions of credit card numbers, SSNs, and other PII in Intuit’s systems. I take security very seriously; that’s why I do not use Intuit’s online services. If we stupid customers choose to ignore Intuit’s strong recommendation to turn on password protection, I doubt very much Intuit has any more liability from making the use of passwords a strong recommendation, but not a requirement. They have covered their butt either way. Let stupid customers be stupid.

    Pareto’s Law tells us that 20% of the firms using QB have 80% of the people using QB. Conversely, this means that 80% of the firms using QB are only 20% of the users. We are small office / home office folks with 1 or 2 users and few fish. The password requirement does not add to the security we already have, yet it is a constant pain, and that pain will be reinforced every 90 days.

    Intuit, please make the password requirement optional. We small offices do not see the value-added from required password protection. We may only be 20% of your users, but we are also the 20% of your customers you have the greatest risk of losing.

  • Great article. Once I remove the PII (I never had set up credit cards) how do I turn off the password requirement?

      • I spent more than two hours on the phone with support and they could not determine (even after remote connection) why all but one (which I knew needed advanced passwords) of my files was requiring the advanced passwords.

  • I realize that most of us are very angry and frustrated with Intuit. However, do you really think that posting in this blog will lead somewhere (other than venting)?

    We all need to bombard Intuit – through the program itself as outlined above – possibly a class action law suit – in order to get our point across and have them remove the horrible invasion of the way we operate in our own practices.

  • I have a QB installed on a single user computer with security at the system level. I do NOT need QB forcing me to enter a password to get to my files. This is ridiculous! QB gets more and more expensive every year and then they do this without an option. I’m over QB and want an alternative product. Any recommendations out there?

  • I for one hate the thought of getting a new accounting program, but the way it is interferes with my business.

    Does anyone have a timeline as to when (and if) we can expect Intuit to issue a new update to correct the password requirement?

    • Intuit generally doesn’t announce changes in advance of the release date. And if they tell someone like me, I would be under NDA until the actual release date. So, unfortunately, until we see something ready to release (if they, indeed, do change something), you won’t get any advance word. Usually.

  • I do not need a NET NANNY….I do not want a NET NANNY…..and let me run my own business. And I will need to deal with this password shit again in 90 days. I have 18 clients…..this is just too Orwellian for me! QB….GET OUT OF MY BUSINESS. You are already too expensive for updates annually and now I have to spend too much time with password updates every 90 days!

    • I feel your pain! 103 QB files x 8 employees – do the math. Not to mention that I have been trying for a month to get rid of the stupid popup about IPN being discontinued on files that have never had IPN with no luck. Intuit blames the Payments Department and they blame Intuit and I remin stuck with a stupid pop up everytime I open a file. I am getting EXTREMELY frustrated with a company that I have done business with for over 18 years with very little other issues.

  • Thanks for the update Charlie – very helpful. I agree that many businesses are way too lax when it comes to protecting their data in QuickBooks. And because I use Intuit Payments, I’ve had to change my password every 90 days anyhow. My only concern was reading (in one of your other blogs) about people being stuck in a loop of having to keep creating a new password and then QB not recognizing one had already been created. It sounded like tech support didn’t have a solution and some were spending hours on the phone. I’ve heard it may have something to do w/the the admin user profile being corrupted but was wondering if you have heard anything about that issue and if there was a resolution to it. I personally would love to move forward w/the patch and be done w/the pop-up box every time I log in. Thanks!

    • I am one unfortunate business that has to deal with 3 of my 18 companies the QB does not recognize passwords. If I keep trying for an hour or so eventually QB recognizes….this is bulls**t! I should not have to waste my time with this. QB has made another enemy….looking into other software….I do not need a screwed up NET NANNY…….

    • There are some cases where people get in that loop. I haven’t had my hands on a system that exhibits this behavior so I can’t say much about it. I don’t know how common it is, but I think it is not all that prevalent. In any case, that is why you always make a backup with the older version BEFORE upgrading or updating. If you are upgrading from an older year of QB you keep the old one around so that you can go back to it if something goes wrong.

  • Thanks Charlie for clarifying the issue. After upgrading to R10 I could not open any QB files the normal way. I teach QB 2015 online in couple of community colleges. As part of the program, students restore about 40 data files for assignments and for obvious reasons passwords are not used. All this was working great till last week and then I upgraded to R10! Now I have to set complex password for each data file every 90 days and then upload to BlackBoard. What a mess! I am almost inclined to uninstall QB 2015 and start over without upgrade to R10. Fall session begins in a week so have to figure out a solution soon 🙁

  • Intuit: I know you check these messages. This is insane that you insist on telling your customers how to run their businesses and, in the above case, how to handle dummy data files used in teaching your software. Please make the password optional.

  • Fred, contrary to what has been said, I don’t believe Intuit does read this blog. I can’t imagine any responsible company seeing this much negative feedback on a relatively simple issue would simply ignore it for this long without any response whatsoever…

    • They do see these notes. Keep in mind that they don’t publicly discuss program changes, usually, until the changed program is released. And anyone who has advance knowledge of changes is usually under an NDA until that release date.

      • Charlie, with all due respect, how can you be so certain that Intuit is listening?

        If I were in Intuit public relations, at the very least I would respond to all the negative comments with a simple “we hear you, and are working on a solution”. That one statement would do a tremendous amount to quell the anger and frustration of so many, and perhaps prevent the mass exodus of good customers to other accounting programs.

        • Roger, because I am engaged with them in an ongoing discussion on the topic, offline.

          Listening is one thing, whether they make a change or response is another thing.

          You rarely see Intuit folks respond in comments here because those conversations tend to end up being flame wars, which is unfortunate. As far as any sort of public response, I can’t speak for them so I won’t say much more there.

          Intuit is a Company that places a lot of value on hearing what people are saying. The put a lot of effort into receiving feedback. More than many companies that I work with. Whether they change the product in response, though, is a totally different issue.

          More than that, I really can’t say…

          • I understand your intent, but you are speaking in contradictions. A company which fixes a security vulnerability by slapping complex password requirements on most of their customers rather than by fixing the software (if this was not the case, the Mac versions would also have incurred the complex password requirement), then chooses NOT to change the product in response to this level of negative feedback does NOT place much value in what their customers are saying. Sam Walton (who knew how to listen to people) had a saying – “If you don’t take care of your customers, somebody else will.” Companies can’t claim to place value on their customers’ opinions and ignore them at the same time.

          • I won’t defend Intuit’s decision, as I would have done this a different way. However, your reference to QuickBooks for Mac is a bit off base. That is a very different product, it has VERY different security issues. Unfortunately, I don’t know the details of the “security flaw” that Intuit uses to justify this change (amongst other reasons). However, I have a suspicion as to what part of the problem is. QuickBooks for Windows has several differences from the Mac version, such as a programming interface for add-on products, and the “accountants copy” feature that ports the data out. I’m speculating, as I don’t have information in detail (but I have some clues), I think that the programming interface was part of the problem. I suspect that a “fix” for that would have created a problem for anyone who uses an add-on product, including custom programs. If Intuit were to do something that made those stop working you would have a much bigger outcry than we have seen here. But, again, I’m speculating. And, again, I wouldn’t have implemented it the way that Intuit did.

    • Joan, that is an incremental update (the number after the underscore) and Intuit pretty much never tells people what those updates involve. These are “stealth” or background updates, essentially.

      The update can be for anything – not necessarily the security issue. It could be a change for QuickBooks Payments, for example (there were some recently). It could be payroll. It could be Sync Manager. You never can tell. USUALLY these are small and relatively innocuous updates, although that isn’t guaranteed.

      We never know what these updates are…

  • Charlie I removed all the PII information, credit card information, social security numbers, and vendor information. All the bank accounts have had their account numbers and aba numbers removed. I do not accept credit cards (never have) and out of my 6 companies, all but 1 do not require a password. It’s the one that is driving me crazy. I even set up a dummy company with the same data so that I could delete things to get rid of it and yet it still requires a password. Any ideas you may have would be greatly appreciated.

    • https://community.intuit.com/articles/1370759-quickbooks-desktop-security-information

      The above link set out the Personable Identification Informtion (in Q13) that QB detects in order to apply a strong password.

      It seems that any narrative on an account name, such as a loan account number, may trigger the inplementation of the strong p/w.
      A suggestion for Intuit could be to include a PII identification report, which will give the user the opportunity of deleting any details which trigger the PII p/w requirement.
      A more satifactory solution would be to issue a QB Desktop version that rejects the inclusion of information which would require strong p/w (many users never use QB payroll or banking information)

      Q13. What are the specific Personally Identifiable Information (PII) data that QuickBooks Desktop detects to require a strong password?

      QuickBooks detects presence of the following PII to deliver strong password controls:

      Employee and Company Social Security Number
      Company EIN
      Company Bank Details (Routing Number, Account Number)
      Company Credit Card Acct. No.
      Other Assets Account No.
      Other Current Assets Account No.
      Loan/Other Current Liability Account No.
      Long Term Liability Account No.
      Vendor Tax ID

      My question is that, if all the above information were to be deleted from a QB file, would the reminder to install the secure p/w be negated

    • I can’t say without hands on the file, Sue. Also look to see if you have your own SSN or EIN in the company information. I suspect that there are cases where some file corruption could cause an issue, too. You can try making a backup of the file then performing a file rebuild, to see if that helps.

      • All of the data listed by Quickbooks in their article (and what Robert posted) is blank. I tried the rebuild and it found nothing wrong. I even used that program from Big Red Consulting and I still can’t find the “trigger”. I’m calling Quickbooks next to see if there is anything else – I’ve already wasted far too much time on this, I can understand if you work with several companies having one password when you first go into Quickbooks and then no longer needing it or even making so you have full access to the companies but requiring a password to see the “classified stuff” but in reality the majority of the PII that Quickbooks has decided needs to be protected can be found easy enough. A Corporation’s EIN is not confidential, account numbers on bank accounts – which can be confidential if you don’t ever write checks – I mean seriously this is ridiculous.

          • Yes, it didn’t work. I actually made a copy of the copy, restored it from back up and deleted all the vendors and employees and it still asked for the password. There is absolutely nothing in here that is PII and yet I can’t get rid of the password.

          • Charlie,

            based on Sue’s elimination of all PII records from a test file and it still requires a password, it seems likely that Intuit has made an unannounced software change. The effect seems to be that once a password has been added, it cannot be removed, irrespective of no security issues being detected.

            In order to avoid potentially needless iterations of changes being made in order to find a security trigger, perhaps you could clarify this with Intuit.

            It should be a matter of courtesy for Intuit to let customers know that they could be wasting their time, if a blanket security requirement has now been added.

          • Robert, you misunderstood the earlier comment. I was able to get the password removed from 5 out of 6 companies by removing the PII. I’m trying to figure out what is left that is keeping this one company from being free.
            Charlie I tried an experiment that maybe you can help with. I made a new company from the existing company file. I then tried various things like using excel to copy in the customer and vendor lists. I also used it to copy over my chart of accounts. None of these things triggered the need for a password. Then I went to my original company, exported the lists (individually) to an IFF file went to the new company and imported them one at a time. Each time I imported a file, I checked to see if I needed a password. As soon as I imported the IFF file for the Chart of Accounts, the password was triggered. I then deleted every single account (hidden and not) and yet the password did not disappear.
            I then took the new company and exported the Chart of Accounts list (which should have been blank because I deleted everything) to my desktop. It has 139 bytes of data in it. How can I figure out what is in that data that is causing the password to be needed?

          • Did you export the COA to IIF and look at it?

            Odds are it has something to do with a checking account. And if you have used that account with a QuickBooks Payments setup, or online banking, perhaps on that particular computer.

            It can be hard to figure out sometimes.

          • Hi Charlie and Robert I just wanted to let you know that I ended up uninstalling Quickbooks and then reinstalling it. The one company that was giving me such a hard time is now resolved. So apparently if you remove all PII, and credit card information and then uninstall – reinstall, you can safely do the update and not need a password.

          • Which leads me to think that there was some connection with a checking account and online banking, or payments systems, or something of that sort. Another test would have been to try that file, once you removed all PII you could find, on a different computer.

  • @Charlie Russell, sorry for the delay in answering your comment. I understand you have a relationship with Intuit, so be it. I still don’t understand why any company would choose to ignore the vast frustration and downright anger from accounting professionals, act as monarchs in their proverbial castle, and refuse comment (or prefer to speak through their earth;y emissary).

    Perhaps when their bottom line starts falling, only then will the kings will come down from the mountain and speak to the countrymen who support their life style.

    Sorry for the hyperbole, but that is certainly what it feels like at least to me.

  • Basically…..I do not need, I do not want and I do accept Intuit as my NET NANNY…..they can go insert the “update” in the orifice I am thinking of and let me run my own business! I have 18 companies that I now need to f**k with new passwords every 90 days. I have server level security….I do not need Intuit screwing with my employees time. As for security…now every 90 days another post-it marathon will be hitting the monitors so they can log in. Is this considered security by Intuit?

  • Those Intuit SOB’s are suggesting we upgrade to QB 2016…..are they going to provide this free to those of us who have been screwed by this recent “upgrade” FIASCO? Otherwise I will not accept any upgrades from this POS NET NANNY.

  • I was considering switching to Xero and saw that Xero offers to convert your QB file so that you don’t lose any information during with switch. Does this encryption requirement impact their ability to make such conversions? My suspicion is that the password requirement has nothing to do with security of user data and everything to do with making it hard for Inuit customer to jump ship to their increasingly appealing competitors.

    Apparently if you call and complain loudly enough, Intuit will send you a link to rollback to the R9 version of the software. You’re then potentially stuck at R9 forever as noted in the article, but given the low quality of the recent updates, I think that may be less bad that the article makes it out to be.

  • Does anyone know how this works with back-ups of company files?

    Is my back-up file tied to the password that I had when the back-up was made? If so, what’s the point in making me change my password every 90 days if I have a directory of back-up files “protected” by the old passwords? And does that mean that I need to keep every complex password written down somewhere, annotated by they were valid, in case I want to go back?

    Does it get updated somehow to my current password, and, if so, how does that work with remote back-ups?

    I see that Intuit has some password recovery service (and also that there’s no guarantee that they’ll continue to offer it). This must mean that the encryption is not really that strong since any proper encryption scheme would ensure that they cannot have the password themselves or break it so quickly.

  • If you made a back-up prior to your upgrading QuickBooks you could uninstall your current QB from your computer, reinstall it in the prior version, then restore the pre-upgrade back-up and just make certain NOT to ever upgrade your QuickBooks for either new releases or new versions ever again.

    If you are running QB and are not ‘security compliant’ then you obviously won’t be able to use any Intuit connected services that are reliant upon ‘security compliance.’

    Obviously if you have done any work since upgrade, then you will just have to enter all that work again in your restored data.

    When Intuit finally quits supporting the version you reinstalled, they you either upgrade (and get all the new security requirements at that time) or you are simply ‘out of luck’ and will probably have to return to pencil, paper and a shoebox of receipts since almost all accounting software offering features like payroll and payments and capturing sensitive data from other individuals like employer IDs (etc.) will have identical or even more strict security compliance requirements by that time.

    • What if I take the R10 upgrade, bite the bullet on the password, and play it Intuit’s way? Aren’t all of my back-up files protected by the old passwords? And if so, why did I have to change my password anyway since my old password will unlock a very significant fraction of the data “protected” by my new password?

      • Oh jeez – didn’t even think of that. If I ever need to go back and pull an old backup (done more often than one would think) just to verify data integrety in my firm – I am now going to have to figure out a way to note what the password was at the time of that particular backup. Just one more headache…

  • Seems to me that most responders are getting het up over (relatively) nothing. Most governments (and courts) are now expecting the application of enhanced security over accounting records, especially those which include ANY personal data – we in the EU have had to cope with these standards now since 1998. The financial penalties for non compliance are significant (in the EU it can be a maximum of €500k per breach).

    In short, this is the price of progress, like it or lump it!

    • @Chris, you have failed to understand any of the issues with this.
      – It does not improve security of the QB
      – It is my job to secure my data; it is Intuit’s job to secure their application. Imposing a password does not help that.
      – For accounting professionals who have multiple clients and multiple passwords this is an unacceptable burden.

      But, thanks for playing.

    • There are a couple of issues with this update, but your post highlights one of serious concern: This is NOT a security update in the sense that most people on the thread seem to think it is. Maybe Intuit found a bug in their software that created a security issue and maybe this update fixes that. If true, then in it’s not wrong to call this a “security update,” although I find it hard to imagine what type of security issue this could actually patch.

      BUT for everyone who has requirements to protect PII (or the equivalent in your jurisdiction), this update does NOTHING to meet any version of such a requirement that I’ve ever seen. Where a requirement exists, the requirements that I’ve seen require both of the following:

      1. You must use strong encryption of data using a standard encryption algorithm.
      2. You must be able to verify the implementation of the encryption algorithm either by having it open source or by relying on credible independent validation of the implementation.

      I was told by Intuit support that this password is being used to encrypt these files, but Charlie Russel indicated in an answer to one of my other comments that there’s no encryption here anyway. Even if it’s encrypted, it’s clear that this is not a strong encryption since Intuit is offering a password recovery service online, which would not be possible with strong encryption. That knocks out #1.

      As for #2, I admit that I haven’t done a ton of research, but my impression is that Intuit has not specified an encryption algorithm (indeed Charlie Russel is saying there is no encryption, as I mentioned) let alone provided details of an encryption standard or any means to verify it.

      Based on these, where I have an obligation to protect, I am obliged to ignore whatever Inuit has done here and provide my own encryption. It’s not just that I think theirs is redundant – My requirements do not allow me to consider it to be secure at all. There are a lot of standards and the program is sold internationally, so I definitely don’t claim to have insight into the requirements of everyone reading this, but I can say for a lot of users in the USA that if Intuit has convinced you that this is “secure” now because of the password, they’ve done you disservice and you’re potentially at risk.

      So, it’s not just that that what’s happened here is extremely annoying to say the least, it’s annoying with no clear benefits in security.

  • OK, let me clarify a few things:

    1) So that I could speak to the issue with authority, yesterday I took a QBDT file that had the new security rules applied, and successfully imported it into Xero. No problem there, as I expected.

    2) I wasn’t saying that the database isn’t encrypted, what I was referring to was the illogical statement that this had the “key characteristics of a ransom attack”. That kind of attack is where an outside agency encrypts your drive or database to prevent you from accessing it, and then demands a fee to unlock it. That certainly is not the case. That was a totally off the wall accusation that doesn’t add anything to this discussion.

    3) If you read the article, John, you’ll note that Intuit states that there was a “security vulnerability” that this update addresses, which I discussed briefly. I think I know what that issue was, and if I’m right then that particular issue may be separate from the password requirement issue. This update has more changes than just the password requirement (ask any add-on developer about what their customers had to do when they started using this update).

    4) Remember that the mechanism for requiring a complex password that changes every 90 days IS NOT NEW in this release. We’ve had that mechanism in QuickBooks for quite awhile now. If you enabled “credit card protection” then you had that requirement, and any business storing credit card information in their file SHOULD have had that enabled for PCI compliance. The issue with this release is a fairly simple one – Intuit has expanded the list of data points that invoke this requirement AND has taken away the ability for users to opt out. That one change, the inability to opt out, is the key issue and is the major difference from before.

    This isn’t a change in how the database is encrypted, because the mechanisms have been there all along. It is a simple case of Intuit taking control out of the user’s hands

    As far as the comments about having to remember passwords for backups, that is a good thing to point out, it is one more reason why I believe that this feature has been implemented poorly. However, note that in many cases we have ALREADY had to deal with that issue for some time now, for data files that have had credit card protection enabled.

    • Thank you for clarifying the encryption and security issues. I hadn’t thought about the issue of keeping track of old passwords for backups till a comment mentioned it. Since, as you say, changing passwords has been in place for some time for files with credit card protection enabled.

      Do you have a suggestion for a good practice for tracking old passwords for backups? Appending it to the file name is, I think, what most people would do, but probably isn’t the best security plan.

      • If I were saving backups of client files, or my own company’s files for archives, I would store the password information in a secure password locker such as RoboForm (which I use extensively and love) or LastPass.

    • Charlie, thanks for your replies. You seem to be much more thorough than Intuit’s support!

      To be clear, I did read your article and the Intuit description on their webpage. I’ve also called multiple times to Intuit support about specific issues related to this (I went through multiple rounds of QB being completely broken that are probably specific to my own circumstances), so part of what I’m posting here relates back to my interaction with Intuit support. What they are saying on the phone does not match what you are saying here on a few key points. Is that an issue with the quality of the support, confusion overall about what they’ve done, I don’t know. I do know that multiple reps have told me the same things, often verbatim, as if they are reading off of a script.

      If they’ve got a true security patch (unrelated to the new password rules), then by all means they should push that out in a way that we can get without taking on the password rules. I don’t use credit cards through QB, so I don’t know what issues specific to that case might arise. (I can imagine that since Intuit is processing the payment, they may have *specific* end-to-end requirements there that are unique to processing credit card payments.) Beyond that, they pushed their nose into an area of “security” where I’m simply not allowed to delegate my responsibility to them, even if I want to. We really need them to get themselves back in their own lane so that we can all address our responsibilities in a straight-forward way.

      The fact that some people had password requirements in prior version of QB is, in my opinion, completely irrelevant. While I believe that it’s technically correct, it doesn’t mitigate the usability and security issues in the current release. I’m really not sure why you keep saying that as it has no logical bearing on the issues and perspective raised by people encountering the requirements for the first time in R10.

      • Well, John, let’s just say that we agree that this password update change was not implemented well, and that there should be more control left in the consumer’s hands as far as that aspect of things.

        I’m certainly not defending their implementation.

        As far as Intuit support, I can’t speak for that. I haven’t used their lower level support for many years, for a variety of reasons.

  • Regarding backups and passwords: Ideally it is great to keep a log with the file name and the Admin password. However, that is probably rarely done. The good news is that Intuit has provided ways to reset a password via the security question or by requesting a code. When you find you do need to restore a backup, more than likely you’ll need to also upgrade the file to a later release or version of QuickBooks as well as change the Admin password (beyond the 90 day period).

    If you need to frequently access backup files, client files, etc., then you should review your processes and systems. Determine how you can establish secure methods to store passwords, security questions, file names, editions, and versions. Take a look at what you are using as a practice manager–does it provide a means to store this information? If not, consider a good password locker software. If you are using Method CRM, then either customize it to accommodate this need OR use the NEXT add-in for Method CRM. If you are using ShareFile to exchange files, take advantage of the note icon next to the file name to add the password. If you are using SmartVault to store/exchange files, add a document to the folder with the necessary information. As professionals, we not only need to track the passwords needed for our own practice but also for the information or portals for our clients. Use this “pain point” to re-evaluate and refine your systems.

    Should you be curious: for my needs I am using Method CRM with NEXT, LastPass, and QuickBooks File Manager. There is some redundancy in these products and I am in the process of re-evaluating my systems. In my practice I don’t regularly work with client files providing monthly services, so my needs are different from a typical bookkeeper or CPA practice.

    • If password locker software meets your requirements and is allowed in your environment, then ok. It’s worth noting for a wider audience (and Intuit if they are reading like Charlie suggests) that use of password lockers is itself considered a security vulnerability in a lot of environments and prohibited. Obviously I don’t know the specific circumstances under which Joan works, so I can’t say anything specific to her case.

      I think, also from the broad view, there’s this logical issue: If changing passwords every 90 days really is a security essential, then it’s clear that HAS to apply to the back–ups too. Meaning you would need either to change the password on every back-up file or delete them. (Both options being obviously ludicrous.) If changing every 90 days is not a real requirement, then why are we doing it? This goes again to the fundamental problem with Intuit taking on this aspect of security. User’s need to be managing the security of these files because there’s no way that Intuit can do it in a consistent and secure way.

      • In the environments I have worked in (mostly smaller businesses, although not limited to that), appropriate password management tools have been widely used with great success. I can generally make a good case for implementing one when you show management what typically happens when you don’t use something like that. But, yes, there are cases where something like that isn’t allowed.

  • Charlie: I have been using QBPro for years and now and then purchase an updated program. I am using 2013 and 2014. I have no payroll and do not accept credit cards. I only use the database for my own small business’s. The 2013 asked for a password and 90 days ago asked for a new one. So very frustrating and I assume if I go for a 2016 version, this is probably a requirement. Am unhappy with QuickBooks.

  • Thank you Charlie, Is to late for me because I already did the update. I worked with QB for many years now and I think their clients deserve more respect, not every body works with sensitive inf. and we should have being told prior to the upgrade and have the option to decide. When I contacted QB at 877-797-5809 and waited around 15 minutes to speak to a customer service rep. to express my disappointment, I was told by a manager that it was the IRS that required this mandatory password. Unbelievable! I wonder what’s next…I guess QB has become more classified inf. than the emails from HIllary.

  • Purchased QB premier last week, called and demanded a refund, simply because they are TELLING me how to run my business, 12 years of quickbooks… won’t go back, needed a simpler program anyway…

  • Thanks for all of the time you’ve spent sharing your views and responding to people’s comments. In your discussions with Intuit, if they are unwilling to let customers opt-out, can you at least convince them to have the program itself provide a report within QB showing why it believes complex passwords are required. At least that would give a subset of customers who don’t believe they have stored PII or other confidential data in the company file a chance at removing whatever QB is erroneously considering sensitive information? I can’t think of any logical reason they would object to doing this and it would at least make a subset of their customers happier (although I agree with those that have said that complex passwords should be strongly suggested as opposed to mandated).

    • Thank you, but I don’t think I can “convince” Intuit on anything. I expect that there will be some change on this in the future, but we’ll have to see what comes up (if anything).

  • If this password nonsense continues, this will be my last upgrade for QuickBooks and ProSeries after 15+ years. I have physical and login security on my machines and don’t need anyone telling me how to manage my accounts with some cumbersome process that I didn’t ask for or need. I understand the need to better secure Pro Series and I can accept that but QuickBooks is plenty secure for what I need.

    I am starting to look for a replacement package today for next year.

  • What do I think? I think I’ll use QB 2015 for a few years, then move on to a different software package from a different company. The rollout of this “improvement” was not handled properly. Notification was poor (if we received it at all), and this is a very large detriment to the functionality of the package. It is interesting that Mac users aren’t saddled with this requirement — one of the difficulties of fixing a security vulnerability on the user’s end instead of actually fixing the software. I used to have a high opinion of Intuit. That was another thing they fixed with R10.

    I wouldn’t recommend this package to anyone at this point.

    • And I agree. I am ignoring the latest update (December, 2016) and will be changing software. As a single user for my one-employee company (me), I will be fully responsible for protection of my PII. Get out of my life, Intuit.

      • My two cents worth is Account Edge Pro. I like their commitment to Desktop vs cloud, their conversion from QB is not super simple (no ones is) , but will do the trick, and they are offering a $100 discount NOW.

      • Charlie:

        Thank you for your interest. I wish I had a complete answer to your question – but I am a civil engineer (and small business owner), not an accountant. My copy of QuickBooks runs on a PC in my home. My wife and I are the only people with access to it, and the only ones who use it. I don’t ever “hand off” my files, as no one else needs them. In short, I don’t feel the need for this feature, yet it was forced on me. That, along with complete silence from Intuit (up until today, apparently), giving no indication that they were the least bit concerned about the uproar, is poor treatment of the customers, in my opinion. I’m glad they’ve been talking to you (apparently) about their studies and behind-the-scenes work; but I’m just a regular customer and have heard absolutely nothing.

        So, I don’t know what my options are at this point. I am of the opinion, however, that there is always an alternative; and, when the need arises, I am sure I can find one.

        WRT your comment about my Macintosh / software perception being off, my main point was that complex passwords couldn’t have been mandated (either by government or by circumstances), or they would have been necessary for the Mac version too. There’s obviously some problem with the Windows software (yes, it could be in how it interfaces with add-ons, still…), and imposing this requirement on Windows customers seems inferior to actually fixing the vulnerability.

        Thanks again for your interest.

        • As I said in the article on the recent update, there is no government requirement that I can see. My guess is that the “fix” to the vulnerability without changing the security feature would have created much larger problem for a much wider range of people.

  • OK, folks. See my article on QuickBooks 2015 R13 at https://www.sleeter.com/blog/2016/12/quickbooks-2015-r13/

    This is the first version being updated to respond to the password security controversy. It shows what Intuit is going to consider as a way to address people’s concerns. They are rolling this out in the 2015 product and will watch what people think about this approach before trying it in other products.

    I welcome people’s comments on this change, but I would prefer that you comment on THAT article, if you don’t mind.

    Thanks!

  • BTW Charlie: Thank you very much for all your efforts in behalf of the QB users and staying on top of this mess. For me, however, the slight retreat by Intuit is too little too late, especially since I have QBP 2016 and the latest response from Intuit is only for 2015.

  • I don’t know if anyone mentioned this, but the problem we have is with bankruptcy cases. We get files all the time, and if we don’t have a password, we have to crack it with Passware. Since they put this new rule in place, cracking a files causes a password reset loop, and you can never get into the file.

    • Ah, well, I guess that is a good thing if you think about it, other than for you. Improved security! You’ll have to talk to Intuit about this to see if there is a way they can help, but it would be complicated.

  • 1) I closed my professional practice and retired 15 years ago.
    2) Years ago a rep from Intuit visited with me and asked for suggestions. I replied bring out a simplified version for guys like me who are retiring, and slowing up.
    3) The response was FIGMO.
    1 January 2017 we switched to a different accounting software. Has all the accounting features, but none of the fru fra bells and whistles which Intuit vomits out irrespective of the actual needs of their customers. You may recall how pate is made.
    4) It would be interesting to see if R Arsenault or M Lanier would take an interest in the multitude of people who have spent countless hours of unnecessary work because Intuit foisted this complex password requirement upon them WITHOUT PRIOR NOTIFICATION.

  • Imagine, if you will, that you want to make a back up of your company file. One of your sources for backing up to is Dropbox. So you, as you have done so frequently, back up to a Quickbooks folder within Dropbox, where you also keep the current set up file for the newest version software. The next day, you double click on the Quickbooks Desktop 2017 icon and a window opens within Quickbooks stating that it can’t find your back up file. So you go into Dropbox manually, and look for the file. Now you find that not only is the file missing but the entire folder where you kept the file and set up is gone also. You scratch your head and wonder what happened to it. You click on Dropbox properties to find there was in fact one file saved from the day before but you can’t access it….anywhere within Dropbox. You call up Dropbox tech support and ask why you can’t access the file. Immediately they want to take control of your computer to do what??? So you tell them no, they need to access it on their end because that’s where the problem is. They say sure they can do that but because you are using the free version with 2 Gb, it’ll cost you $100.00. You hang up the phone and swear you’ll never use they’re app again. Problem is, they still have access to that file folder, who’s security was either breached on their end, a Dropbox scamming employee is going through people’s files looking for such a thing in order to commit ID theft. Doesn’t sound like a likely thing to happen? WRONG! It happened to me. Am I ever so thankful for Intuits forcing passwords on the company file? You betcha. My only concern is how secure is the complex password security. After all, most probably think Dropbox is secure. I beg to differ. What are the chances they can install the set up program and open the back up file?

Leave a Comment