Intuit has released the QuickBooks 2015 R13 update for the U.S. version of QuickBooks. This is available as a manual update from the Intuit support website. It is also starting to roll out as an automatic update.
The big news in this release is a change to the enhanced security feature that I talked about in more detail in a prior article. This has been one of the hot-button subjects for QuickBooks users and advisors this year. In addition, this release has changes that relate to 1099 Misc e-filing.
QuickBooks Security Update Changes
Earlier this year Intuit changed QuickBooks desktop to require a “complex password” if you had any “personally identifiable information” (PII) in the company file. Intuit’s definition of PII was pretty broad – it could be employee Social Security Numbers, company bank details (routing or account numbers), vendor account numbers, or even your own company EIN. Their list made it very likely that your company file would be marked as requiring a complex password. Many users resented this intrusion in their workflow, and accountant users found that it made working with multiple client files much more complicated.
The other aspect of the security feature was the confusion about the requirement to change the password every 90 days. Note that in current releases of QuickBooks 2015, 2016 and 2017 you are only required to change the complex password if you have enabled the Customer Credit Card Protection feature. It has worked this way for a long time – this isn’t a new feature in the security update (as it stands now). Intuit’s messaging on this was confusing at first (“required” vs. “recommended”), but it has been clarified lately.
It has taken some time for Intuit to respond to the criticism of the higher level of security because they have been investigating different ways of modifying the feature and conducting multiple user surveys.
Starting with the U.S. version of QuickBooks 2015 R13 you now have an option to keep the user logged in for a specific number of days. If this feature is enabled for a QuickBooks company file, when you open that file it will automatically log you in without asking for a user name or password.
Note that this feature is off by default, you have to enable it in your Preferences.
Select Edit and then Preferences. Choose the General preferences and select the Company Preferences tab. You will see a new option, Manage Login Settings.
By default, this is set to “Log off every time a user closes the company file or exits QuickBooks.” That means if you close the company file or use the Log Off from Company option, you will be asked for the user name and password when you try to access a company file.
Now we have the option “Keep user logged in for” and a dropdown box with options for 1, 7, 30, 60 or 90 days. If you select this, when you exit and re-open this QuickBooks file you will not be asked for a user name and password until the selected time period expires. Essentially, as long as you don’t choose the Log Off from Company menu option, QuickBooks keeps you logged in to this file for the period of time that you select.
This is not a permanent opt-out feature, like some people have asked for. You are still going to be asked for a complex password. You will have to remember it and enter it, just not every time you open the file.
If you are a QuickBooks user using this for your own company, it will provide you with some relief. If you are an accounting professional dealing with multiple client files you are still going to have to keep track of client passwords in some fashion, though. You can set up different company files to each remember their password, but after 90 days (or less, depending on your preference setting) you are still going to have to enter that password.
Some detailed notes:
- This setting is per company file. You can enable it for one company file but not another.
- The setting can only be changed by the Admin user, and it affects every user of this company file. If you set it to remember credentials for one user, it will set all users to remember credentials (but credentials are stored per computer).
- This feature is currently only available in the U.S. version of QuickBooks 2015. I expect that it will show up in the UK and Canadian 2015 versions early next year. Intuit will probably see how well this change is accepted before they apply this to the 2016 and 2017 releases. It is not clear to me if they will be applying this to the 2014 release.
- User and password information is saved on your local computer, so if you go to another computer then your credential information won’t be seen. Each Windows user should have their own separate credentials saved with their login.
- If you have enabled Credit Card Protection then this feature will not be available. You will always have to enter a password when you open this file.
- You can also access this new feature through the Company menu. In that menu, Pro and Premier users will select Set Up Users and Passwords, Enterprise users will select Users, then (for all versions) select Manage Login Settings.
- This feature will not work if you are using a shared hosted QuickBooks environment.
Windows Credential Manager Vault
Intuit is storing your login credentials in your Windows Credential Manager Vault. You’ll find this in your Windows Control Panel. This isn’t something that you normally would manage, I’m just bringing it up because I love these little technical details. However, the fact that Intuit is using this mechanism does have some impact on how the program works.
You can’t see the password here, but you can edit it. Don’t bother, though, because changing the password here doesn’t change it in the QuickBooks file, so the automatic login won’t work the next time you open the file.
How does using this process impact how QuickBooks works?
- The Windows Credential Manager Vault was introduced in Windows 7, so older versions of Windows won’t support this feature. That shouldn’t be an issue – you shouldn’t be using older (unsupported) versions of Windows.
- If you are running QuickBooks in a shared hosted QuickBooks environment you won’t see this new feature, because you don’t have separate credentials saved for users there.
- The credentials store the company name, not the file name. So, if you change the name of the QuickBooks company file, that won’t affect the credentials, but if you go into Company Information and change the company name there it should invalidate your credentials. Not a big problem, that just means that you would be asked for a password the next time you open the file.
- If for some reason you want to clear out all of the saved passwords on a particular computer system, you can go into the Windows Credential Manager and delete all of the “Intuit_QBDT” generic credentials.
Does This Improve Security or Hurt Security?
I’ve been debating this ever since the increased security feature was first released. Has Intuit really improved the security of our company data? I can argue both sides of the question.
In some cases, the change in this release makes little difference. If you store credit card information in your QuickBooks file and are concerned with PCI compliance, you should already have enabled the Credit Card Protection feature. That has been around for a while, and it has always required a complex password that changes every 90 days. No real change here. As a side note, I generally recommend that you do not store customer credit card information in QuickBooks. Have that information kept off your computer, kept in your payment processing system.
Allowing the “Keep user logged in” setting means that you are relying on Windows login security. That means that for your everyday use you should set up a Windows user account that is not the admin user on your computer, create a secure login password, and log out of Windows every time you walk away from your computer. Windows security becomes your main level of protection. I have to ask you, is this how you work with your computer? Do you always log out? When I conduct a security audit of a new client, in a small business, I rarely see people working this way. People don’t log out of Windows when they step away. They don’t use complicated passwords If they do then it often is found on a sticky note on their desk. I think that the “Keep user logged in” feature actually decreases security in most cases, since anyone can get in to the file from your computer if you leave it unattended and logged in.
Heck, if Intuit is going to do this, then why not just make the security feature optional? Why can’t we just opt out of the requirement?
For accounting offices dealing with multiple clients, particularly in situations where they may need to restore backup copies made at different intervals, I’m afraid that we’ll see people keeping Excel spreadsheets to track the various client files and their associated passwords. Not very secure!
Some further comments:
- For accountants, if they are going to keep this feature, I wish that Intuit would invest some development time into the QuickBooks File Manager. Make it a true multi-user program (it isn’t now), set up different user logins so that you can control who has access to different files, store client file passwords with each revision of a file that is stored. Unfortunately, I just don’t see Intuit spending the effort on improving this feature.
- If you are dealing with different QuickBooks files, and/or different backup versions of different files, consider using a secure password management program like RoboForm (which I use and really like) or LastPass. These are great, secure products that can be used to manage multiple passwords. They both have multi-user versions. I use RoboForm to keep track of all of my logins, not only for QuickBooks but for all of the many websites that I use. It syncs this information across all of my devices and computers, and is extremely secure.
- One of the reasons Intuit is interested in ramping up QuickBooks file security is to protect your file in transit or while it is in other hands. That is, even if you are not concerned about increased security in your own premises, you should be concerned when you hand that file off to someone else. If this is their main case, I wish that Intuit had investigated options on adding increased security whenever you saved a backup or portable company file, or found some way to determine that the file had been handed off to someone. Tie it in to the computer or server that it normally resides on, increase (optionally) the security when the file is exported or moved away from there.
- There has been a lot of talk about this increased security being required by the IRS. That is a load of bunk as far as I’m concerned. The IRS is concerned with tax returns, and I’ve not found anything that says that they require this kind of security on your accounting files. As far as I can tell this hasn’t been officially stated by Intuit management – it has come up in comments from Intuit support staff and spread rapidly through various discussion forums. If you can reference something from the IRS that explicitly recommends this, let me know.
- The new option to keep a user logged in is not recommended if you have multiple Windows users who log in with the same account. Every person using that account is going to be logged in automatically with the last credentials that are used, unless every user specifically logs out of the company file every time they exit. If people don’t do that, everyone will be using that last login account and you have no control over permissions, nor any visibility in the audit trail of who does what.
Now, having ranted a little bit about this (and I’m sure we’ll see lots of user comments like that as well), I have to say that most business users are too careless with security and password management. I understand that security is time-consuming and a pain, and that this increased level of security in QuickBooks is seen as interfering and irritating. But, people need to pay more attention to file and computer security.
I just wish that Intuit had taken a different approach to this issue. In any case, the changes in QuickBooks 2015 R13 will help ease the pain for some people.
What do you think?
1099 Misc E-filing
Intuit is partnering with Tax1099.com to support e-filing of 1099 forms. This is the same update as I mentioned earlier for the QuickBooks 2016 R9 update. Tax1099.com was recognized as a 2016 User Favorite award at Accountex USA.
Earlier this year I wrote about how Intuit was discontinuing the Intuit Sync Manager utility. That impacted the Intuit 1099 e-file service, which depended on this utility. So, since Intuit’s own service can’t work with QuickBooks desktop any more, they’ve partnered with a company that doesn’t need the Intuit Sync Manager utility.
In an article that I wrote about preparing 1099 Misc forms about two years ago, I mentioned Tax1099.com. They have an interface for QuickBooks desktop that relies on the QuickBooks SDK, which is the integration method that Intuit still supports. That solves the problem! Tax1099.com offers e-delivery of forms in addition to e-filing, which I feel is very important. This is a good choice to work with, but you need to determine if Tax1099.com’s fee structure fits your needs. There is a fee calculator here.
Intuit has published a support article (KB1436803) that talks about the details of this integration. Note that QuickBooks desktop doesn’t support all of the information needed for Wisconsin filers, but Tax1099.com provides a way to enter that information if you are e-filing.
Search Bug Fix
This release fixes a bug where QuickBooks would hang if you tried to change the Search Box Preferences in multi user mode.