QuickBooks HelpQuickBooksHelpIntuit

Password security for QuickBooks Desktop

by Intuit2 Updated 5 months ago

To ensure the protection of your critical data, QuickBooks Desktop requires passwords for data files to meet certain complexity requirements. The minimum requirements for complex passwords include:

  • At least 7 characters (letters, numbers, or special characters)
  • At least 1 number
  • At least 1 uppercase letter

Complex passwords must be changed every 90 days. QuickBooks prompts you to change your password near the end of the 90 days as well as on the expiration date itself.



Password protection

Users whose files contain sensitive data such as credit card numbers, Social Insurance Numbers, employer identification numbers, or who have Credit Card Protection turned on will be asked to set a complex password when they sign in to the file after the update.

Note: Only administrators will be required to change the password every 90 days.

Listed below are the password requirements for QuickBooks Desktop. Note that passwords are case sensitive.

  • Between 8-16 characters in length
  • At least 1 uppercase character (A-Z, plus all uppercase characters in the Latin-1 Supplement set)
  • At least 1 lowercase character (a-z, plus all lowercase characters in the Latin-1 Supplement set)
  • At least 1 special character (! " # $ % & ‘ ( ) * + , - . / : ; < = > ? @ [ \ ] ^ { | } ~)
  • At least 1 number (0-9)
  • Password cannot contain the username (case sensitive)
  • Username cannot contain the password (case sensitive)
  • No spaces

What if I don't want to set a password?

For users with sensitive information or credit card protection, setting a password is mandatory. It ensures that only authorized users can access your data. If you use QuickBooks Desktop Accountant or Enterprise Accountant, you can use QuickBooks File Manager to keep track of your passwords for each file.



What else do I need to know?

  • The Administrator will be notified if any users have not set up a password. This will help the Administrator secure the file by requesting or assigning a password to other users.
  • Users who have forgotten the Admin password and the corresponding password reset hint can use the Automated Password Reset Tool to reset the password.
  • If you are using QuickBooks Desktop in multi-user mode, ensure that all users are using a supported version of QuickBooks Desktop and have installed the security update.
  • For QuickBooks 2016/Enterprise 16.0 (R7), customers running SDK applications that need to access QuickBooks in unattended mode must log in to QuickBooks after the security update to apply the changes. Learn more about the changes to the Integrated Application Authentication for QuickBooks Desktop users.


Frequently asked questions

If you have installed more than one identified version of QuickBooks Desktop, you will need to update each version.

All expired trial versions of QuickBooks Desktop should be uninstalled. If you have any unexpired trial versions of QuickBooks Desktop installed on your system, download and install the security update.

Yes. We recommend downloading and installing the security update.

If you have uninstalled QuickBooks Desktop, you will not be affected by this vulnerability. When uninstalling multiple versions, ensure that you uninstall the most recent version of the software.

To help protect customers, we don’t disclose specific details about security vulnerabilities that we discover. This information could be used by criminals to find and take advantage of the vulnerability.

The update is designed to deliver strong password controls to help ensure that anyone attempting to access a QuickBooks Desktop account is authorized. Once the application detects that a QuickBooks Desktop company file has sensitive data, it is configured to add another layer of security protection. However, removing credit card information and Personally Identifiable Information (PII) from the file will turn off this configuration, and users will not be required to set up a password.

Yes. Changing the password in the .QBA file should have no effect on the client's original file.

QuickBooks detects the presence of the following PII:

  • Employee Social Insurance Number
  • Company CRA Business Number
  • Company Bank Details (Routing Number, Account Number)
  • Company Credit Card Acct. Number
  • Fixed Assets Account Number
  • Other Assets Account Number
  • Other Current Assets Account Number
  • Loan/Other Current Liability Account Number
  • Long Term Liability Account Number
  • Supplier CRA Business Number
  • Supplier Account No.
  • Employee's Birth Date (QuickBooks 2018 versions only)

Sign in now for personalized help

See articles customized for your product and join our large community of QuickBooks users.

More like this