QuickBooks

QuickBooks 2015 R13 Security Changes

Written by Charlie Russell

Intuit has released the QuickBooks 2015 R13 update for the U.S. version of QuickBooks. This is available as a manual update from the Intuit support website. It is also starting to roll out as an automatic update.

The big news in this release is a change to the enhanced security feature that I talked about in more detail in a prior article. This has been one of the hot-button subjects for QuickBooks users and advisors this year. In addition, this release has changes that relate to 1099 Misc e-filing.

QuickBooks Security Update Changes

Earlier this year Intuit changed QuickBooks desktop to require a “complex password” if you had any “personally identifiable information” (PII) in the company file. Intuit’s definition of PII was pretty broad – it could be employee Social Security Numbers, company bank details (routing or account numbers), vendor account numbers, or even your own company EIN. Their list made it very likely that your company file would be marked as requiring a complex password. Many users resented this intrusion in their workflow, and accountant users found that it made working with multiple client files much more complicated.

The other aspect of the security feature was the confusion about the requirement to change the password every 90 days. Note that in current releases of QuickBooks 2015, 2016 and 2017 you are only required to change the complex password if you have enabled the Customer Credit Card Protection feature. It has worked this way for a long time – this isn’t a new feature in the security update (as it stands now). Intuit’s messaging on this was confusing at first (“required” vs. “recommended”), but it has been clarified lately.

It has taken some time for Intuit to respond to the criticism of the higher level of security because they have been investigating different ways of modifying the feature and conducting multiple user surveys.

Starting with the U.S. version of QuickBooks 2015 R13 you now have an option to keep the user logged in for a specific number of days. If this feature is enabled for a QuickBooks company file, when you open that file it will automatically log you in without asking for a user name or password.

Note that this feature is off by default, you have to enable it in your Preferences.

Select Edit and then Preferences. Choose the General preferences and select the Company Preferences tab. You will see a new option, Manage Login Settings.

QuickBooks 2015 R13

By default, this is set to “Log off every time a user closes the company file or exits QuickBooks.” That means if you close the company file or use the Log Off from Company option, you will be asked for the user name and password when you try to access a company file.

Now we have the option “Keep user logged in for” and a dropdown box with options for 1, 7, 30, 60 or 90 days. If you select this, when you exit and re-open this QuickBooks file you will not be asked for a user name and password until the selected time period expires. Essentially, as long as you don’t choose the Log Off from Company menu option, QuickBooks keeps you logged in to this file for the period of time that you select.

This is not a permanent opt-out feature, like some people have asked for. You are still going to be asked for a complex password. You will have to remember it and enter it, just not every time you open the file.

If you are a QuickBooks user using this for your own company, it will provide you with some relief. If you are an accounting professional dealing with multiple client files you are still going to have to keep track of client passwords in some fashion, though. You can set up different company files to each remember their password, but after 90 days (or less, depending on your preference setting) you are still going to have to enter that password.

Some detailed notes:

  • This setting is per company file. You can enable it for one company file but not another.
  • The setting can only be changed by the Admin user, and it affects every user of this company file. If you set it to remember credentials for one user, it will set all users to remember credentials (but credentials are stored per computer).
  • This feature is currently only available in the U.S. version of QuickBooks 2015. I expect that it will show up in the UK and Canadian 2015 versions early next year. Intuit will probably see how well this change is accepted before they apply this to the 2016 and 2017 releases. It is not clear to me if they will be applying this to the 2014 release.
  • User and password information is saved on your local computer, so if you go to another computer then your credential information won’t be seen. Each Windows user should have their own separate credentials saved with their login.
  • If you have enabled Credit Card Protection then this feature will not be available. You will always have to enter a password when you open this file.
  • You can also access this new feature through the Company menu. In that menu, Pro and Premier users will select Set Up Users and Passwords, Enterprise users will select Users, then (for all versions) select Manage Login Settings.
  • This feature will not work if you are using a shared hosted QuickBooks environment.

Windows Credential Manager Vault

Intuit is storing your login credentials in your Windows Credential Manager Vault. You’ll find this in your Windows Control Panel. This isn’t something that you normally would manage, I’m just bringing it up because I love these little technical details. However, the fact that Intuit is using this mechanism does have some impact on how the program works.

QuickBooks 2015 R13

You can’t see the password here, but you can edit it. Don’t bother, though, because changing the password here doesn’t change it in the QuickBooks file, so the automatic login won’t work the next time you open the file.

How does using this process impact how QuickBooks works?

  • The Windows Credential Manager Vault was introduced in Windows 7, so older versions of Windows won’t support this feature. That shouldn’t be an issue – you shouldn’t be using older (unsupported) versions of Windows.
  • If you are running QuickBooks in a shared hosted QuickBooks environment you won’t see this new feature, because you don’t have separate credentials saved for users there.
  • The credentials store the company name, not the file name. So, if you change the name of the QuickBooks company file, that won’t affect the credentials, but if you go into Company Information and change the company name there it should invalidate your credentials. Not a big problem, that just means that you would be asked for a password the next time you open the file.
  • If for some reason you want to clear out all of the saved passwords on a particular computer system, you can go into the Windows Credential Manager and delete all of the “Intuit_QBDT” generic credentials.

Does This Improve Security or Hurt Security?

I’ve been debating this ever since the increased security feature was first released. Has Intuit really improved the security of our company data? I can argue both sides of the question.

In some cases, the change in this release makes little difference. If you store credit card information in your QuickBooks file and are concerned with PCI compliance, you should already have enabled the Credit Card Protection feature. That has been around for a while, and it has always required a complex password that changes every 90 days. No real change here. As a side note, I generally recommend that you do not store customer credit card information in QuickBooks. Have that information kept off your computer, kept in your payment processing system.

Allowing the “Keep user logged in” setting means that you are relying on Windows login security. That means that for your everyday use you should set up a Windows user account that is not the admin user on your computer, create a secure login password, and log out of Windows every time you walk away from your computer. Windows security becomes your main level of protection. I have to ask you, is this how you work with your computer? Do you always log out? When I conduct a security audit of a new client, in a small business, I rarely see people working this way. People don’t log out of Windows when they step away. They don’t use complicated passwords If they do then it often is found on a sticky note on their desk. I think that the “Keep user logged in” feature actually decreases security in most cases, since anyone can get in to the file from your computer if you leave it unattended and logged in.

Heck, if Intuit is going to do this, then why not just make the security feature optional? Why can’t we just opt out of the requirement?

For accounting offices dealing with multiple clients, particularly in situations where they may need to restore backup copies made at different intervals, I’m afraid that we’ll see people keeping Excel spreadsheets to track the various client files and their associated passwords. Not very secure!

Some further comments:

  • For accountants, if they are going to keep this feature, I wish that Intuit would invest some development time into the QuickBooks File Manager. Make it a true multi-user program (it isn’t now), set up different user logins so that you can control who has access to different files, store client file passwords with each revision of a file that is stored. Unfortunately, I just don’t see Intuit spending the effort on improving this feature.
  • If you are dealing with different QuickBooks files, and/or different backup versions of different files, consider using a secure password management program like RoboForm (which I use and really like) or LastPass. These are great, secure products that can be used to manage multiple passwords. They both have multi-user versions. I use RoboForm to keep track of all of my logins, not only for QuickBooks but for all of the many websites that I use. It syncs this information across all of my devices and computers, and is extremely secure.
  • One of the reasons Intuit is interested in ramping up QuickBooks file security is to protect your file in transit or while it is in other hands. That is, even if you are not concerned about increased security in your own premises, you should be concerned when you hand that file off to someone else. If this is their main case, I wish that Intuit had investigated options on adding increased security whenever you saved a backup or portable company file, or found some way to determine that the file had been handed off to someone. Tie it in to the computer or server that it normally resides on, increase (optionally) the security when the file is exported or moved away from there.
  • There has been a lot of talk about this increased security being required by the IRS. That is a load of bunk as far as I’m concerned. The IRS is concerned with tax returns, and I’ve not found anything that says that they require this kind of security on your accounting files. As far as I can tell this hasn’t been officially stated by Intuit management – it has come up in comments from Intuit support staff and spread rapidly through various discussion forums. If you can reference something from the IRS that explicitly recommends this, let me know.
  • The new option to keep a user logged in is not recommended if you have multiple Windows users who log in with the same account. Every person using that account is going to be logged in automatically with the last credentials that are used, unless every user specifically logs out of the company file every time they exit. If people don’t do that, everyone will be using that last login account and you have no control over permissions, nor any visibility in the audit trail of who does what.

Now, having ranted a little bit about this (and I’m sure we’ll see lots of user comments like that as well), I have to say that most business users are too careless with security and password management. I understand that security is time-consuming and a pain, and that this increased level of security in QuickBooks is seen as interfering and irritating. But, people need to pay more attention to file and computer security.

I just wish that Intuit had taken a different approach to this issue. In any case, the changes in QuickBooks 2015 R13 will help ease the pain for some people.

What do you think?

1099 Misc E-filing

Intuit is partnering with Tax1099.com to support e-filing of 1099 forms. This is the same update as I mentioned earlier for the QuickBooks 2016 R9 update. Tax1099.com was recognized as a 2016 User Favorite award at Accountex USA.

Earlier this year I wrote about how Intuit was discontinuing the Intuit Sync Manager utility. That impacted the Intuit 1099 e-file service, which depended on this utility. So, since Intuit’s own service can’t work with QuickBooks desktop any more, they’ve partnered with a company that doesn’t need the Intuit Sync Manager utility.

In an article that I wrote about preparing 1099 Misc forms about two years ago, I mentioned Tax1099.com. They have an interface for QuickBooks desktop that relies on the QuickBooks SDK, which is the integration method that Intuit still supports. That solves the problem! Tax1099.com offers e-delivery of forms in addition to e-filing, which I feel is very important. This is a good choice to work with, but you need to determine if Tax1099.com’s fee structure fits your needs. There is a fee calculator here.

Intuit has published a support article (KB1436803) that talks about the details of this integration. Note that QuickBooks desktop doesn’t support all of the information needed for Wisconsin filers, but Tax1099.com provides a way to enter that information if you are e-filing.

Search Bug Fix

This release fixes a bug where QuickBooks would hang if you tried to change the Search Box Preferences in multi user mode.


Save pagePDF pageEmail pagePrint page

About the author

Charlie Russell

Charlie Russell has been involved with the small business software industry since the mid 70's, and remembers releasing his first commercial accounting software product when you had an 8-bit microcomputer with one 8 inch floppy disk drive. He has a special interest in inventory and manufacturing software for small businesses. Charlie is a Certified Advanced QuickBooks ProAdvisor with additional certifications for QuickBooks Online and QuickBooks Enterprise, as well as being a Xero Certified Partner. Charlie started blogging about QuickBooks in 2008 (Practical QuickBooks) and has been the managing editor and primary writer for the Sleeter Report since 2011. Charlie can be reached at charlie@ccrsoftware.com

Visit his CCRSoftware web site for information about his QuickBooks add-on products. He is also the author of the California Wildflower Hikes blog.

19 Comments

  • I am a small business owner, not an accountant. My PC is in a secure location, with extremely limited access (i.e., it is not open to the public, or even to staff – there is no staff). The password requirement apparently doesn’t encrypt files, so it won’t protect me from an on-line attack – only from nonexistent people who can’t reach my PC to log in. I’m glad to finally see some action from Intuit, but I must agree with your conclusion that we should have the option to disable this requirement entirely, not just for a few days. Thanks for the information.

    • Information like credit card numbers and social security numbers ARE encyrpted in the database, but that isn’t something new with the security feature. That has been the case for quite some time.

  • Thanks for sharing Charlie..

    Perhaps this provides relief for some people, but not for me. I don’t have any PII data in my QuickBooks any more, yet there is no way to remove the complex password requirement. I’m all for protecting confidential information, I’m not for onerous security on information that is not sensitive. I use QuickBooks to track expenses and write checks. No payroll, no credit card processing, no tax IDs.

    In my opinion, this is a bug that should be fixed so that people who don’t have sensitive information in their company file or who have removed any sensitive information can live without the onus of logging in (even if it’s just every 90 days). I should be able to decide whether this is necessary – not Intuit.

    What they need to do is to enhance QB to provide a report that shows exactly what data items are triggering the requirement for a complex password. When the report is empty, they should allow removal of the password requirement. I challenge anyone to provide a rationale why the current behavior is desirable. I know an external party created something that produces an Excel spreadsheet that “attempts” to show PII data, but I’ve removed everything that was in the report and it still won’t allow me to remove the password. If they fixed this bug, I would stop complaining. As a workaround, I regressed my QB to the version before the unannounced “security update” that required the complex password. Until they provide a better option, that’s where I’m staying. No more upgrade money for Intuit..

    • According to Intuit, if you remove all PII info the security requirement is no longer in place. I’ve tested that in a very simple situation and it worked. There are two key issues – finding ALL of what Intuit considers PII, and a database that doesn’t have some form of damage. Note that the addon product you refer to does as good a job as Intuit allows, the shortcomings of that product are due to the shortcomings of the programming interface that Intuit provides to us.

      If you are working with checks, do you have your checking account number and routing number in that account info in the GL? If so, that is PII.

  • Funny how they tested it on 2015, when 2017 has been out now for 3 months. That’s really ‘testing’ the waters. Intuit should get a lot of similar comments like you’re posting here. To me, it saves an inconvenience, but opens it up to more security issues with multiple Windows login users.
    A lot of online programs are now going with the ‘two-step’ verification. You think they’ll ever tread in those waters? Thanks!

  • I installed the update and it crashed QB File Manager 2017, cannot open it without unhandled exception errors. Been on the phone with QB support for 90 minutes and counting.

    • Louis, in my test system I’ve not run into any problems like that. However, I could very well have a different situation than you do. I don’t use QuickBooks File Manager extensively.

      You are talking to QB support, so I’d be interested in hearing back from you as to what they come up with. If you hadn’t called them, the first thing I would have suggested would have been a “repair” of your QuickBooks installation via the Control Panel. But that might not do much. It is the first step we usually take if there is an odd error after an update.

  • Charlie, they did try to first repair and then do a clean install of first 2017 and then 2015. What we found out is that QB File Manager 2015 works fine but 2016 and 2017 versions crash. I’ve subsequently discovered the same exact issue on another machine just after updating QB 2015 to R13. QB support has referred the issue up to the next tier and hopefully they can resolve it. The support agent has given me a case # and will keep me informed. I will keep you posted

  • I double-checked and I have no routing or account numbers in any accounts. If I have no PII data, I shouldn’t be subjected to this burden. I won’t be happy unless they provide a report from within QB that shows what data elements are triggering the requirement for the password. This seems like a fairly simple and reasonable request. Do you have the ability to provide this feedback to them (they seem to ignore the dozens of messages I’ve sent them)?

    Thanks Charlie

    • A very nice and helpful support rep. contacted me from Intuit. He used an internal tool to determine why it was requiring a complex password. It turned out that having text in the “Note” field for some of my Fixed Assets and an Expense account was the cause. Moving the note text to the description (or just deleting it) caused those items to disappear from the list of items containing sensitive information. I then did an update to the latest release of QB 2015 Pro and confirmed it no longer requires me to have a complex password. The support rep. is going to notify development as he felt this behavior was probably not intended.

      I hope this helps the people that don’t believe they have any sensitive information in their company file (and I realize there are many people who are not in this situation).

  • It doesn’t seem that the regs require that desktop QBs in and of itself have complex passwords at all. Linking some of the online add-ons and integrated apps is what exposes it to the requirements.

    We have clients who have no PII data that we can find, have no internet add-ons or aps other than the connection necessary to download updates to the program. Yet several of these are requiring complex passwords and one is even requiring a change every 90 days. Something is buggy in the implementation of this “requirement”. An opt out with a specific warning similar to overriding a QBs file with a backup would solve so much of this mess.

    • Hi Dan – Can you please share you contact details so we can help your clients. 90 days change of password is required only when Credit Card Protection is enabled.

      • Yeah, that is the theory and the official line, but frankly it is a buggy implementation. We have double checked that none of these QBs file have enabled Credit Card Protection. I too would love to see some report available out of QBs which lists the data considered PII.

Leave a Comment