QuickBooks R7 Security Details & R10 Announcement
First, I just wanted to let everyone know the R10 update has been announced. It is a manual update currently available at Intuit’s Support Website, but it will likely also be pushed automatically at some point.
Second, I have included more detailed information about the new security changes for QuickBooks.
What’s The Hullaballoo About?
In a nutshell, the new Intuit update now requires that most users have a complex password, depending on what information they are storing. This is a change from before, where you only were required to have this kind of password if you enabled Customer Credit Card Protection..
QuickBooks users are suddenly finding that they cannot get into their QuickBooks files without first creating a new, complex password, even if they don’t have credit card information stored in the file. This creates an additional hassle for many users.
Accounting professionals are now faced with managing a large number of unique passwords across multiple client files, for every accounting user who has to access those files, which is creating a huge amount of extra work and inconvenience.
What’s Are Complex Passwords?
A Complex QuickBooks Password is a password that has at least 7 characters, and it includes at least one number and one uppercase letter.
A key issue that has some people upset is the requirement to change the password every 90 days. Not only do you have to create a harder-to-remember complex password, but you also have to change it every 90 days. You also can’t just switch back and forth between two passwords, you have to go through about five different passwords before you can repeat one again.
However, you don’t necessarily have to change every 90 days. Sometimes this is required, sometimes it is just recommended.
Why Some People Are Upset
Some reasons why people are upset:
- What if you don’t feel that you have critical information that needs to be protected? Some people use QuickBooks for very simple tasks, they don’t feel that passwords are needed. But Intuit is making that decision for you.
- Why complex passwords? These are harder to remember, and people are more likely to just write the password on a sticky note stuck to the monitor.
- Changing every 90 days? If that is required (and it isn’t always, depending on circumstances) it creates a huge hassle in keeping things up to date, and remembering the latest password.
- What if your business runs multiple QuickBooks files? Your user login is setper company file, so every user has to remember a complex password for each separate file.
- What about accounting firms where you may have a large number of separate QuickBooks client files, but also could have a large number of employees/users who are accessing those files? Management of that many files and users can be a major chore.
What Intuit Says
According to Intuit:
Intuit has identified, and is implementing updates to address a security vulnerability in QuickBooks desktop software. We are proactively notifying customers of the steps required to install an update, which is designed to address the security vulnerability, and regarding other steps they can take to protect themselves and their data. To help protect customers, we don’t disclose specific details about security vulnerabilities that we discover. This information could be used by criminals to find and take advantage of the vulnerability. At this time, we know of no cases where anyone has taken advantage of this vulnerability to obtain sensitive data.
What Can You Do?
There are only two ways to avoid all of these password requirements: Don’t install this update or remove all of the sensitive information from your file (and turn customer credit card protection off).
Neither of these approaches are practical in many cases. Sure, you can use a third-party setup to keep customer credit card information out of your file. I generally don’t recommend that you freeze your QuickBooks installation at a particular revision. Intuit is always working on bug fixes and reliability updates, so it is (usually) best to keep your product up to date. I do often recommend that you wait to install a revision until we are sure that the revision doesn’t cause more problems than it will fix, and on occasion there have been some updates that I tell people to skip. But even if we recommend skipping a revision, you are going to install a later revision down the line. With this security update I don’t see Intuit backing off or making really large changes down the line. I could be mistaken on that account, but from what I see this is going to be the way it works moving forward. So you are eventually going to want to install an update that has this change in it, someday.
As far as removing all the sensitive data from your file, for most businesses that just isn’t practical. Intuit has confirmed that if you remove all PII and credit card info, and turn Credit Card Protection off, the complex password requirement will be removed.