We recently allowed QB 2016 to run the update. It is now requiring us to enter a password on all of our 2016 data files. I thought this was only required if we had credit card information in the file. These are just basic data files that we use for bookkeeping & payroll. What gives?

Are we now going to have to change the password every 90 days?

I believe the definition of personally identifiable information now includes things like EIN, not just credit card numbers. The mandatory strong password is not so bad, but changing every 90 days is overkill, as most other major services either have no password expiration, or maybe once per year.

https://www.sleeter.com/blog/2016/06/qu ... s-2016-r7/

With the IRS software security council (or whatever they're called) working on things, aren't we expected to have to use passwords to access our professional desktop tax software as well going forward? I encrypt all my client files at the OS level, but should tax software itself require passwords and provide at-rest encryption of all confidential data?

I do not understand why this is the responsibility of Intuit to enforce. We have passwords to access our desktop and server. That is sufficient. We should be allowed to turn this off in QB.

Sure, we can use the same password for all of our QB data files. That would be OK if we did not have to change it every 90 days. But having to change it every 90 days is going to cause us lose track if which password we are using for which client.

There is a tool included in QB Accountant that might help -- QB File Manager. I have used it to track versions of all my client files (company files, backups, portables, Acct Copy, etc). Now maybe will be the time to try using the password vault feature.

From the help file:

"QuickBooks File manager is part of the QuickBooks Accountant and QuickBooks Enterprise Accountant. You can use it to open and manage your clients’ QuickBooks files quickly and easily from one location. QuickBooks File Manager allows you to:

* Build a client list that creates a virtual view of your hard drive, groups clients’ QuickBooks files by type, and contains the locations of clients’ QuickBooks company files.

* Save login information for your clients’ QuickBooks files in the Password Vault, which allows you to open a client’s QuickBooks file from the client list with the correct version of QuickBooks without looking up the login information.

* Upgrade multiple clients’ QuickBooks files to the latest version of QuickBooks in a batch.

* Create Groups of clients that you define. "

Here is a very current and thoroughly-researched article, from a reliable source. The change-every-90-day requirement is not mandatory if you don't have credit card info in the file. You can even eliminate the complex password requirement altogether by removing PII from the QB file.

It's also another reason to just consider moving to QB Online, where you only need one login to access multiple client files - problem solved.

I'm not very sympathetic to most of the comments made on the article. Security and convenience are inversely proportional. It's mostly just a bunch of whining by people who don't want to be inconvenienced. I suppose the medical provider community did a lot of whining when HIPAA was first introduced, too. Now it's time for the tax profession to step up.

It's also another reason to just consider moving to QB Online ...

I wasn't aware there were any prior reason(s).

It's a good thing my other Intuit software, like Lacerte, doesn't have any personally identifiable information.

It's a good thing my other Intuit software, like Lacerte, doesn't have any personally identifiable information.

I'm half expecting TY2016 professional tax software to make login password mandatory, even for single desktop user (as opposed to optional, as it is now in my software). We won't know until this fall, but I think this is exactly the type of thing that IRS and software industry have been busy working on. Whether a password will mean the tax data files are encrypted or not is another question.

It might be a good idea, but it is none of Intuit's business what our password policy is. Anybody that can bypass our network login security can surely bust the QB password also. It is not necessary.

I hope nobody tells Intuit, but in order for us to keep track of passwords for our client files, we just made it part of the file name: "Double-D Partnership (1234Password).QBW"

It might be a good idea, but it is none of Intuit's business what our password policy is. Anybody that can bypass our network login security can surely bust the QB password also. It is not necessary.

But it is your clients' business. While QB desktop company files have a reputation for being "crackable", how do you know that Intuit hasn't beefed up the encryption level along with the password requirements? Also, your comment completely ignores that fact that for your garden-variety disgruntled employee or other low-level hacker, a company file without a password is much more vulnerable than one with a password, regardless of whether the password can be defeated. So yes, it is necessary.

What isn't necessary, and as previously discussed does not seem to apply in most cases under the new software patch, are required password changes.

Per Bruce Schneier, security expert,

"I've been saying for years that requiring frequent password changes is bad security advice, that it encourages poor passwords. Lorrie Cranor, now the FTC's chief technologist, agrees:
http://arstechnica.com/security/2016/08 ... gist-says/"

Update from the Sleeter group (a good source of QB info).

https://www.sleeter.com/blog/2016/12/qu ... -2015-r13/

They are trying an improvement with QB2015, may end up in other versions if it is well received. The entire article is well written and covers a number of important topics, such as QB File Manager which I mentioned above, but here is the highlight as far as this thread is concerned:

"Starting with the U.S. version of QuickBooks 2015 R13 you now have an option to keep the user logged in for a specific number of days. If this feature is enabled for a QuickBooks company file, when you open that file it will automatically log you in without asking for a user name or password.

Note that this feature is off by default, you have to enable it in your Preferences."

The QB password is a joke. I can create a new password for any client file I receive if I can't find/don't have access to the current client password.

To pick back up on this thread... We use QB14 for a lot of our internal companies. Currently, there are about 75 companies. There are four people that access these companies. Recently we did the update on our QB14 and were hit with the password "pain" described earlier. Does anyone have the solution that allows an easier access to the companies without removing all of the PII from the companies? We are looking to upgrade to the latest, but for our purposes the only real reason we would need to is if there was hope in not having to enter a PW everytime you go into a company. Can anyone talk about this PW vault that I keep hearing about?

I think I mentioned this above, we have a standard password for the office and also put the password in parenthesis as part of the QB file name.

We also just changed our standard password so that it ends with 00. When we need to change it, it will go to 01, and so on.

We use a standard firm pw and put the the quarter and year at the end of it. (i.e. password1Q2017) When the 90 day mark comes around, we can change it to the next quarter and so on.