To ensure the protection of your critical data, QuickBooks Desktop requires passwords for data files to meet certain complexity requirements. The minimum requirements for complex passwords include:
- At least 7 characters (letters, numbers, or special characters)
- At least 1 number
- At least 1 uppercase letter
Complex passwords must be changed every 90 days. QuickBooks prompts you to change your password near the end of the 90 days as well as on the expiration date itself.
Users whose files contain sensitive data such as credit card numbers, social security numbers, employer identification numbers, or who have "Credit Card Protection" on will be asked to set a complex password when they sign in to the file after the update. Note: Only administrators will be required to change the password every 90 days.
Listed below are the password requirements for QuickBooks Desktop. Take note that passwords are case sensitive.
What if I don't want to set a password?
For users with sensitive information or credit card protection, setting a password is mandatory. It ensures that only authorized users can access your data. If you use QuickBooks Desktop Accountant or Enterprise Accountant, you can use QuickBooks File Manager to keep track of your passwords for each file.
What else do I need to know?
- The Administrator will be notified if any users have not set up a password. This will help the Administrator secure the file by requesting or assigning a password to other users.
- Customers who forgot the Admin password and the corresponding password reset hint can use the Automated Password Reset Tool to reset the password.
- If you are using QuickBooks Desktop in multi-user mode, ensure that all users are using a supported version of QuickBooks Desktop and have installed the security update.
- For QuickBooks 2016/Enterprise 16.0 (R7), customers running SDK applications that need to access QuickBooks in unattended mode must log in to QuickBooks after the security update to apply the changes. Learn more about the changes to the Integrated Application Authentication for QuickBooks Desktop users.
What if I have multiple QuickBooks Desktop products? Do I need to download and install the update for each one?
If you have installed more than one identified version of QuickBooks Desktop, you need to update each version.
I still have a trial version of QuickBooks Desktop installed on my system. Do I still need to apply the security update?
All expired trial versions of QuickBooks Desktop should be uninstalled. If you have any unexpired trial versions of QuickBooks Desktop installed on your system, download and install the security update.
I only use the Internet on a periodic basis. Do I still need to download the security update?
Yes. We recommend downloading and installing the security update.
What if I’ve uninstalled one of these products and no longer use it? Do I still need the update?
If you have uninstalled QuickBooks Desktop, you will not be affected by this vulnerability. When uninstalling multiple versions, ensure that you uninstall the most recent version of the software.
What is the vulnerability?
To help protect customers, we don’t disclose specific details about security vulnerabilities that we discover. This information could be used by criminals to find and take advantage of the vulnerability.
What happens if I disable credit card protection or remove all the credit card information from the file?
The update is designed to deliver strong password controls to help ensure that the person attempting to access a QuickBooks Desktop account is authorized. Once the application detects that a QuickBooks Desktop company file has sensitive data, it is configured to add another layer of security protection. However, removing credit card information and Personally Identifiable Information (PII) from the file will turn off this configuration and users will not be required to set up a password.
Can accountants set a password on their client's working file?
Yes. Changing the password in the .QBA file should have no effect on the client's original file.
What are the specific Personally Identifiable Information (PII) data that QuickBooks Desktop detects to require a strong password?
QuickBooks detects presence of the following PII:
- Employee and Company Social Security Number
- Company EIN
- Company Bank Details (Routing Number, Account Number)
- Company Credit Card Acct. Number
- Fixed Assets Account Number
- Other Assets Account Number
- Other Current Assets Account Number
- Loan/Other Current Liability Account Number
- Long Term Liability Account Number
- Vendor Tax ID
- Vendor Account No.
- Employee's Birth Date (QuickBooks 2018 versions only)