QuickBooksHelpIntuit

Password security for QuickBooks Desktop

by Intuit•2• Updated 4 months ago

To ensure the protection of your critical data, QuickBooks Desktop requires passwords for data files to meet certain complexity requirements. The minimum requirements for complex passwords include:

At least 7 characters (letters, numbers, or special characters)
At least 1 number
At least 1 uppercase letter

Complex passwords must be changed every 90 days. QuickBooks prompts you to change your password near the end of the 90 days as well as on the expiration date itself.

Password protection

Users whose files contain sensitive data such as credit card numbers, Social Insurance Numbers, employer identification numbers, or who have Credit Card Protection turned on will be asked to set a complex password when they sign in to the file after the update.

Note: Only administrators will be required to change the password every 90 days.

Listed below are the password requirements for QuickBooks Desktop. Note that passwords are case sensitive.

Between 8-16 characters in length
At least 1 uppercase character (A-Z, plus all uppercase characters in the Latin-1 Supplement set)
At least 1 lowercase character (a-z, plus all lowercase characters in the Latin-1 Supplement set)
At least 1 special character (! " # $ % & ‘ ( ) * + , - . / : ; < = > ? @ [ \ ] ^ { | } ~)
At least 1 number (0-9)
Password cannot contain the username (case sensitive)
Username cannot contain the password (case sensitive)
No spaces

What if I don't want to set a password?

For users with sensitive information or credit card protection, setting a password is mandatory. It ensures that only authorized users can access your data. If you use QuickBooks Desktop Accountant or Enterprise Accountant, you can use QuickBooks File Manager to keep track of your passwords for each file.

What else do I need to know?

The Administrator will be notified if any users have not set up a password. This will help the Administrator secure the file by requesting or assigning a password to other users.
Users who have forgotten the Admin password and the corresponding password reset hint can use the Automated Password Reset Tool to reset the password.
If you are using QuickBooks Desktop in multi-user mode, ensure that all users are using a supported version of QuickBooks Desktop and have installed the security update.
For QuickBooks 2016/Enterprise 16.0 (R7), customers running SDK applications that need to access QuickBooks in unattended mode must log in to QuickBooks after the security update to apply the changes. Learn more about the changes to the Integrated Application Authentication for QuickBooks Desktop users.

Frequently asked questions

What if I have multiple QuickBooks Desktop products? Do I need to download and install the update for each one?

If you have installed more than one identified version of QuickBooks Desktop, you will need to update each version.

I still have a trial version of QuickBooks Desktop. Do I still need to apply the security update?

All expired trial versions of QuickBooks Desktop should be uninstalled. If you have any unexpired trial versions of QuickBooks Desktop installed on your system, download and install the security update.

I only use the internet occasionally. Do I still need to download the security update?

Yes. We recommend downloading and installing the security update.

What if I've uninstalled one of these products and no longer use it? Do I still need the update?

If you have uninstalled QuickBooks Desktop, you will not be affected by this vulnerability. When uninstalling multiple versions, ensure that you uninstall the most recent version of the software.

What is the vulnerability?

To help protect customers, we don’t disclose specific details about security vulnerabilities that we discover. This information could be used by criminals to find and take advantage of the vulnerability.

What happens if I disable credit card protection or remove all the credit card information from the file?

The update is designed to deliver strong password controls to help ensure that anyone attempting to access a QuickBooks Desktop account is authorized. Once the application detects that a QuickBooks Desktop company file has sensitive data, it is configured to add another layer of security protection. However, removing credit card information and Personally Identifiable Information (PII) from the file will turn off this configuration, and users will not be required to set up a password.

Can accountants set a password on their client's working file?

Yes. Changing the password in the .QBA file should have no effect on the client's original file.

What are the Personally Identifiable Information (PII) data that QuickBooks Desktop detects to require a strong password?

QuickBooks detects the presence of the following PII:

Employee Social Insurance Number
Company CRA Business Number
Company Bank Details (Routing Number, Account Number)
Company Credit Card Acct. Number
Fixed Assets Account Number
Other Assets Account Number
Other Current Assets Account Number
Loan/Other Current Liability Account Number
Long Term Liability Account Number
Supplier CRA Business Number
Supplier Account No.
Employee's Birth Date (QuickBooks 2018 versions only)

Sign in now for personalized help

See articles customized for your product and join our large community of QuickBooks users.