QuickBooks Password Reset Tool–Updated
In recent releases of QuickBooks, Intuit has added a new integrated password reset tool that is touted as helping to streamline resolution of password lockouts. Is this a blessing, or a major security blunder?
As security emphasis has increased for financial data, in part due to identify theft concerns, the use and complications of passwords has significantly increased. In recent years, Payment Card Industry standards have created additional issues associated with complex passwords and mandatory password reset requirements. Just maybe, as the number and complexity of passwords has increased, our ‘little gray cells’ have become so taxed by remembering which password works with what, that the eventual circumstance of forgetting the QuickBooks Administrator password is bound to occur.
Intuit has been offering a QuickBooks Password Reset Tool for years. One was designed as a “self-help” tool that could be downloaded from the QuickBooks Support website. The second tool was a more sophisticated utility that was used by Intuit Technical Support personnel when a user could not get the downloaded tool to work. Both tools shared a common “security precaution”, each tool required a “security token” (code) that was generated by Intuit’s servers based upon confirmation of a registered QuickBooks license number.
Early on, not many people, other than QuickBooks ProAdvisors, were even aware that these tools existed. But in recent years, as user requests for password assistance increased, Intuit began to advertise the availability of these tools on support websites and user forums. With an increase in awareness of these “security workarounds” came the possibility of abuse.
The Password Reset Tool can be downloaded by anyone with a registered copy of QuickBooks, and a “security token” to use with the tool can be obtained so long as the email address to which the security token is sent matches the email associated with the registered license. The reality is that anyone can use this tool, and method, to open any copy of a QuickBooks Company (*.QBW) file that they can get their hands on. In other words, if a flash drive is lost containing a *.QBW file, anyone with a little techno-savvy who has a copy of QuickBooks can use the Password Reset Tool to open the file.
Figure 1 – Typical “Security Token” Email
While Intuit spends a great deal of effort to insure that only registered QuickBooks owners can download the tool, there is nothing that actually safeguards the use of the tool to the specific “QuickBooks files” of that owner. Having used the downloadable tool many times to assist my clients in opening files for which they had forgotten the Administrator password, I came to the belief that there should be a “relationship” between the tool and the file, not simply the tool and a copy of QuickBooks.
After thinking about this issue further, I realized that imbedded within the QuickBooks Company file is one critical identification data-field that could be used as a “security control” to insure that the individual using the tool was indeed doing so with a full knowledge of the file being opened. That critical field is the Taxpayer Identification Number (FEIN or SSN) within the Company Information table. If the Password Reset Tool simply validated not only the “Security token”, but the user entered Taxpayer ID with the Taxpayer ID information in the file, the potential for tool misuse would be significantly reduced, if not precluded completely.
Now let’s look at the new password tool just released in updates to QuickBooks (QuickBooks 2011 R6 and QuickBooks 2010 R12). If you loose your Administrator password and you don’t know the answer to your “challenge” question, you can now use the new password reset tool that is directly integrated into QuickBooks. In other words, you don’t even have to go through the motions of “downloading” the tool any longer. Simply answer a few questions, like License Number (easily obtainable by pressing the F2 key even if the company file isn’t open), your name, the phone number and zip code associated with the license, and your email address. Once you do a security token is issued and ZAP, like magic you are resetting the Administrator password and into the file in moments. You can hardly say the words ”security breach” in the limited amount of time it takes to gain access.
I am certain that for some people, who frequently forget passwords or who even forget they changed their password, this new tool may sound wonderful. Similarly those people who can’t remember the answers to the typical challenge questions of where they went to high school, or the name of their first pet, or where they met their spouse, the new feature represents a relief from having to download the tool. I am also certain that all those “identity thieves“ out there will find the integrated tool easier than ever, since in less than 2 minutes, if they have access to QuickBooks anywhere, they can garner access to someone’s file.
I personally have sent Intuit my concerns regarding security issues with the prior incarnations of the Password Reset tool, as well as this newly ‘integrated’ version. I am also aware that many other QuickBooks ProAdvisors and security consultants have expressed similar concerns. I suspect that these concerns have been overlooked in reply to an apparent increased ‘use’ of the downloadable password tool over the past few years. It is the old ‘squeaky wheel’ that got Intuit’s attention; more people downloaded the tool than complained about its availability and the related security concerns. As such, we now have the new “integrated tool” whether it is good for us or not.
While I look forward to many of the significant improvements Intuit makes to the QuickBooks product-line, this newest feature is at the very bottom of my list.
Related posts:
- QuickBooks 2010 R12 Released
- QuickBooks Update for Manage Apps and Services–an Unexpected Update
- QuickBooks and Internet Explorer 9
- QuickBooks 2011 R6
- What is the QuickBooks TLG File?
Category: QuickBooks Tips/Tricks, Software Updates, Technical QuickBooks
About the Author (Author Profile)
William “Bill” Murphy is an Advanced Certified QuickBooks ProAdvisor with over 30 years of financial and teaching experience. Since 1989, his consulting company, RRR, Ltd. has been helping businesses with QuickBooks set-up and problem resolution, including data file repair. He holds both Bachelors and Masters Degrees from the University of Central Oklahoma, and is an Adjunct Instructor for Oklahoma City Community College-Corporate Learning. He also served as Technical Editor for Business Analysis with QuickBooks by Wiley Publishing in 2009.
Related posts:
Subscribe
If you enjoyed this article, subscribe to receive more just like it.
Thanks, Bill. I’ve been worried about security in QuickBooks for some time, and I do think that Intuit made it too easy for someone to get in. I’m not as worried about an outsider breaking in – there are lots of ways to keep your info secure (like, don’t put it on a USB key or laptop and carry it around?). But what about that internal person who you want to keep out of key financial records? That person has easy access to the key info that is needed to make this tool work…
Thanks for the info, I’ve been wondering how to break-in to QuickBooks files.:) Seems like Intuit has made it easier than ever now…lol
I agree, this new tool/feature is at the bottom of my “like” list as well as the signature graphic that you can add to printed checks. Just makes things too easy for some people to do more harm than good.
Bill,
Thanks for the full description and well-written article on this new “feature.” I’ll bring it up with Intuit when I next talk with a product manager. I’d really like to hear their perspective on why the feature was developed and released.
The issue is the file is not encrypted. If the file were encrypted it could also be near impossible to recover the data. If Intuit does not provide a recovery tool, someone else will. Therefore the only solution is to use strong encryption and the ability to create a recovery file. If the recovery file were to be lost, the QuickBooks file could never be recovered.
David hit the nail right on the head. Identity thieves never needed the password reset tool to accomplish this as the file is not encrypted. I’ve used Passware’s QuickBooks Key program to open forgotten Quickbooks files for years.