Intuit has been rolling out a QuickBooks Desktop security update and the changes have created quite an uproar in both the user and accounting professional communities. Looking at these discussions I see that there is confusion and a few misconceptions about the changes, along with a lot of anger. Let’s take a closer look at what has been changed, and why.
Note: This article was updated shortly after publication for information on QuickBooks 2015, and then on 7/8/2016 to add some corrections
Charlie Russell will be presenting the session, Recent Developments in QuickBooks and Looking Ahead, at Accountex 2016.
QuickBooks Desktop Security Update Hullaballoo
In a nutshell, Intuit is updating supported versions of QuickBooks desktop (for Windows) so that most users are now required to have a complex password, depending on what information they have stored in their file. This is a change from before, where you only were required to have this kind of password if you enabled Customer Credit Card Protection, a feature needed for security when storing credit card information in your QuickBooks files.
QuickBooks users are suddenly finding that they cannot get into their QuickBooks files without first creating a new, complex password, even if they don’t have credit card information stored in the file. This creates an additional hassle for many users.
Accounting professionals are now faced with managing a large number of unique passwords across multiple client files, for every accounting user who has to access those files, which is creating a huge amount of extra work and inconvenience.
Complex QuickBooks Passwords
As we’ve seen with the release of QuickBooks 2016 R7, Intuit has started requiring that all users have a “complex QuickBooks password” in some but not all cases. If you upgrade your file from a prior version (a prior year of QuickBooks, or a 2016 version earlier than R7) you may see this kind of message:
A Complex QuickBooks Password is a password that has at least 7 characters, and it includes at least one number and one uppercase letter.
A key issue that has some people upset is the requirement to change the password every 90 days. It’s bad enough that you have to create a harder-to-remember complex password, but you also have to change it every 90 days? And you can’t just switch back and forth between two passwords, you have to go through about five different passwords before you can repeat one again? What a pain!
However, you don’t necessarily have to change every 90 days. As I’ll discuss below, sometimes this is required, sometimes it is just recommended. This is an important point that is being missed in many of the discussions I’ve seen.
Note that this is how it works in QuickBooks 2016 and 2015 in the most current updates. Users of QuickBooks 2014 and probably 2013 won’t see “recommended”, they’ll see “required”, at least for the time being.
Another aspect of this update, if the Admin user is required to have a complex password, is that QuickBooks is going to require that all user accounts in this file have a complex password.
This window says that passwords are strongly recommended, but in my testing so far I’ve found that these users must have a password, and that it must be a complex password, or they can’t log in.
I don’t like Intuit’s suggestion that you delete inactive user accounts, though. As it stands now, if you delete a user then that user name is deleted from the audit trail. The audit trail still shows the transactions for that user, but you can’t tell which user created them. Until Intuit fixes that I generally don’t recommend that you delete a user account.
Why Some People Are Upset
There are lots of reasons why people don’t like this update, some reasons are more valid than others in my eyes. I do feel that too many businesses are lax with security. I’ll extend that to some accounting professionals as well, who should know better. All too often we see situations where there are no passwords at all, or people use passwords that are worthless.
Some reasons why people are upset:
- What if you don’t feel that you have critical information that needs to be protected? Some people use QuickBooks for very simple tasks, they don’t feel that passwords are needed. But Intuit is making that decision for you.
- Why complex passwords? These are harder to remember, and people are more likely to just write the password on a sticky note stuck to the monitor.
- Changing every 90 days? If that is required (and it isn’t always, depending on circumstances) it creates a huge hassle in keeping things up to date, and remembering the latest password.
- What if your business runs multiple QuickBooks files? Your user login is set per company file, so every user has to remember a complex password for each separate file.
- What about accounting firms where you may have a large number of separate QuickBooks client files, but also could have a large number of employees/users who are accessing those files? Management of that many files and users can be a major chore.
- On a personal note, for someone like me who is testing QuickBooks in a wide variety of configurations, this update is a pain in the rear. But that isn’t something that is significant (other than to me).
What Triggers the Need for a Complex Password
A lot of the confusion here is that up to now, you only needed a complex password if you were dealing with credit card information. Now people without credit card information are seeing this, and it is very confusing.
Now there are two classes of triggers for the complex password requirement in the QuickBooks desktop security update: customer credit card information and personally identifiable information.
Customer Credit Card Information
We’ve talked about PCI compliance on multiple occasions, where (I’m summarizing quite a bit) if your business stores client credit card information in your files you have to protect that information. It makes sense that if you are storing credit card information then you should have a complex password for anyone who has access to the data.
If you enable Customer Credit Card Protection (an option in the Company menu) then you must have a complex password, and you are required to change them every 90 days. This makes sense, and QuickBooks has worked that way for some time now. Supposedly all files that had this feature enabled before this security update already had this kind of password set up, but now QuickBooks is checking all user accounts in the file to make sure that they are set up properly.
What is changed with this security update is that you are required to have a complex password for all users even if you have not enabled Customer Credit Card Protection. If you have stored credit card information in any customer record in the file then you must have a complex password. However, the requirement to change it every 90 days is not required if that feature isn’t enabled.
This is one of the changes in this update that is upsetting some people – they may have some credit card information in a customer record, somewhere, and that triggers this requirement. You can find those customers and delete the information to get around this, but there isn’t a report that I’m aware of that will list the customer and their credit card number. It can be painful to find that one customer record that is setting this feature off.
As a side note, when setting up a user in QuickBooks you have an option to allow them to view complete customer credit card numbers. I’m showing that option in Premier in the screen shot below. This apparently has no effect on this security issue, because if I un-check this box then the user still must have a complex password. Too bad, this would have been an easy way to let some users into the system without requiring a complex password, since they can’t see this credit card data.
Personally Identifiable Information
If your file has Personally Identifiable Information (PII) in it then you will be required to have a complex password for all users, but you will not need to change them every 90 days in QuickBooks 2016. At this point I believe you still need to change every 90 days in QuickBooks 2015 and 2014, but that requirement may change in the future when Intuit brings those products up to the same level as 2016.
What kind of information is considered PII? I’ve found that it is very rare to have a file that does not have PII. According to the Intuit security KB article, PII is:
- An employee record with a Social Security Number. Note that this is true even if you aren’t using Intuit payroll.
- Any vendor record with a Vendor Tax ID, even if you aren’t processing 1099’s.
- Any “bank” account in your Chart of Accounts with a Bank Account Number or a Routing Number, even if you aren’t using online banking.
- A Employer Identification Number (EIN) or Social Security Number (SSN) in your Company Information.
That covers every client company file that I work with, and pretty much every test file I’ve set up.
Note that if you turn Customer Credit Card Protection off and remove all of this Personally Identifiable Information, you are no longer required to have a complex password. And, again, the 90 day renewal should only be required if you have Customer Credit Card Protection enabled.
QuickBooks Desktop Security Updates Versions
This security update only affects the Windows versions of QuickBooks desktop, including Pro, Premier, Accountant and Enterprise. You won’t see this issue in QuickBooks Online or QuickBooks for Mac.
It affects all of Intuit’s supported national versions, including the US, Canadian and UK versions.
Beyond that you need to look at the year and the revision of your product. To see this, run QuickBooks and press the F2 key to open the Product Information window. This will show you the year and release of QuickBooks. For instance, this is the 2016 release, revision R7_114.
Generally when we talk about a revision we are talking about the first part of that R-level notation. This would be release “R7”, for example. You generally have to approve the installation of an R-level update, such as moving from R6 to R7. Intuit provides some information on what these updates contain when they come out, listed in their support website. I try to let people know about these updates when they occur.
Intuit also has an “background” update mechanism that can install updates without you having to specifically approve installation (although you must have Automatic Updates enabled for this to happen). Usually Intuit doesn’t notify us about these background updates, and usually they don’t involve significant changes (except in this case!). The number after the underscore represents the level of the background update – in this case you have the “114” update to R7. Often I don’t pay a lot of attention to these background updates, but in this case this is important information.
Here are the versions of QuickBooks that have implemented the QuickBooks Security Updates. If you don’t have the full revision number listed, or later, then you don’t have this update.
- QuickBooks 2016 R7_114
- QuickBooks 2015 R10_15
- QuickBooks 2014 R11_40
QuickBooks 2013 and older are no longer supported by Intuit, and they told me that this year of product doesn’t have this security update. Note, though, that at the time I’m writing this the Intuit security KB article states that this update also was released in QuickBooks 2013 R18_4.
However, note that at this point the 2016 and 2015 products differ from the 2014 and 2013 products. In 2016 R7 and 2015 R10 if you don’t have Credit Card Protection enabled you are not required to change your password every 90 days. That will be “recommended”, not “required”. In the other products you may still be required to change it every 90 days if you are forced to have a complex password. I expect that this will change at some future date when Intuit brings those older products up to speed with changes in 2016, although I can’t be sure.
Note: When this article was published initially, only the 2016 product had this feature. Shortly after publication Intuit updated the 2015 product to include it also.
What Intuit Says
According to Intuit:
Intuit has identified, and is implementing updates to address a security vulnerability in QuickBooks desktop software. We are proactively notifying customers of the steps required to install an update, which is designed to address the security vulnerability, and regarding other steps they can take to protect themselves and their data. To help protect customers, we don’t disclose specific details about security vulnerabilities that we discover. This information could be used by criminals to find and take advantage of the vulnerability. At this time, we know of no cases where anyone has taken advantage of this vulnerability to obtain sensitive data.
What Can You Do?
There are only two ways to avoid all of these password requirements: Don’t install this update or remove all of the sensitive information from your file (and turn customer credit card protection off).
Neither of these approaches are practical in many cases. Sure, you can use a third-party setup to keep customer credit card information out of your file – in fact, I recommend that highly. Don’t have credit card info on hand at all, use some outside service like Bill and Pay or Bill.com to handle that, it will save you a lot of headaches. But if you are using an Intuit payroll system, sending vendor 1099’s through QuickBooks, using QuickBooks Payments, or using bank feeds, you are going to trigger this security issue.
I generally don’t recommend that you freeze your QuickBooks installation at a particular revision. Intuit is always working on bug fixes and reliability updates, so it is (usually) best to keep your product up to date. I do often recommend that you wait to install a revision until we are sure that the revision doesn’t cause more problems than it will fix, and on occasion there have been some updates that I tell people to skip. But even if we recommend skipping a revision, you are going to install a later revision down the line. With this security update I don’t see Intuit backing off or making really large changes down the line. I could be mistaken on that account, but from what I see this is going to be the way it works moving forward. So you are eventually going to want to install an update that has this change in it, someday.
As far as removing all the sensitive data from your file, for most businesses that just isn’t practical.
And, you probably need to do this before you update to these revisions. Once this level of security is enabled, I don’t believe that you can back out of it. Removing the sensitive data after the fact probably won’t rescind the extra security. Updated 7/8/2016: Intuit confirmed that if you remove all PII and credit card info, and turn Credit Card Protection off, the complex password requirement will be removed.
So it looks like we are stuck with it, pretty much.
For those accounting firms that manage a large number of client files, I recommend that you look into a password management program like LastPass or RoboForm. These products can save you a lot of headaches when tracking multiple passwords.
My Thoughts On the QuickBooks Desktop Security Update
Yes, this is a pain in the rear to deal with, but data security is a important issue that many businesses tend to ignore.
I’ll go out on a limb here, and I’m sure that some people won’t agree with me. I recommend that you install this update and accept the higher level of security. It is going to be there in all releases moving forward, and it isn’t a good idea for people to stall their installation at a particular revision level.
Data security is important and this update is addressing, according to Intuit, a “security vulnerability”. I don’t have any solid information about the security vulnerability that they have identified, so it is hard for me to evaluate the need for a change like this. However, there are a number of clues floating about and I think I have a handle on at least one aspect of this. If I’m right, then these changes are a good idea, although Intuit may have taken the issue a bit further than we all would have liked.
With a desktop product like QuickBooks your security exposure is very different than with something like QuickBooks Online. You have a better chance for “physical” data security – controlling access to your computer network, preventing unauthorized access to files, implementing good password controls and so forth. But, is your data totally secure? When I visit businesses that use QuickBooks and look at their procedures I often find that they aren’t really taking enough precautions with their data.
So, Intuit is forcing everyone to implement a higher level of password control if there is any kind of information stored that should be protected. And I’m guessing that we’ll see some more changes in the future that focus on data security (hopefully not as intrusive as this one).
I do have some issues with how Intuit has implemented this security update, though:
- I don’t think that Intuit did a good job in notifying people in advance about what the changes would be. In particular, I would have liked to see Intuit do a better job in communicating to ProAdvisors what the changes would be and why they were being made, in advance of the release. Some notifications went out, but the full impact of these changes weren’t apparent. This caught a lot of people by surprise.
- It would have been helpful if Intuit had made this an optional feature. You can choose to implement Credit Card Protection, for example, couldn’t they also extend that in some way to allow us to opt in for protection of Personally Identifiable Information (PII)? Let the users opt in (or at least opt out) of this additional security. Intuit is making it clear that they are putting security first, to protect their customer’s data, but we still need to have some control over our business flow. And, I’m well aware that many people will turn security features off even if they shouldn’t, so is this the best way for Intuit to go? To force everyone into a higher level of security?
I’m concerned that these changes, as they stand now, are going to either make people not update their program (which is a bad thing in the long term), or to turn to less secure ways of dealing with these passwords. More sticky notes with passwords, less secure passwords (company name with a date, or something like that), accounting firms using the same password for all of their client files, and so forth.
I wish that Intuit had a better way to deal with passwords like this, but a lot of the suggestions that I’ve heard from people are just too technically complicated to implement in QuickBooks desktop.
Many product treat user accounts very differently than QuickBooks does. User logins aren’t associated with just one company file, you will often have a user credential that works across multiple individual files. That, along with changes in how preferences are managed, would go a long ways toward resolving the issues of this update. However, that would require a major overhaul of QuickBooks, and the thought of that scares me. QuickBooks is an old product, and it seems to be really sensitive to major changes. The work it would take to make this kind of change would be significant, and even if Intuit wanted to spend the money and time to do it, I would be very, very worried about how this would affect the reliability of the product.
For accountants, we have the QuickBooks File Manager. It helps by managing client files and storing passwords. I don’t see a lot of people using that, to tell the truth. It is an underdeveloped feature, last I looked at it the multiuser functionality was very poor (almost nonexistent). If we are going to accept the security updates as they exist, it would be very helpful to accounting professionals if Intuit would put some significant effort into improving the functionality of QuickBooks File Manager.
So, what do you think? Leave a comment here so that Intuit can see. How would you change this update, how important is this kind of security for you, why is this update a problem for your business?