Quicken password limits to 32 chars - TD Ameritrade password length allows 64 chars

Charla Kroll

why does quicken limit your passwords to 32 when td ameritrade limits them to 64? can they put in a patch to fix this please

JustMeHere

Actually the limit is from the OFX standard which is the standard Quicken and the financial institutions use to send you your transaction (Direct Connect).

Unless you are using the extra characters to write out a sentence I can't see how it could make any difference.  Once you exceed about 20 characters there isn't a computer on the face of the Earth that can currently guess your password within the time they estimate the Universe will be around.

Edit:
P.S. I sure hope your financial institutions will lock your account after just a few wrong password attempts, so in reality it doesn't even matter how many passwords can be attempted by the fastest computer.  Not to mention that the financial institution's website wouldn't allow/be able to handle log in attempts at that speed.

Ps56k2

just to clarify - always good to include -

What version ...   Help --> About Quicken

EDIT - have updated the topic title to better reflect Q&A

Charla Kroll

first time had problems with this: windows, quicken deluxe version r25.10 build 27.1.25.10 would love to use the 64 password. instead of the limit on 32 and reading from the boards the limit is 32. so the restriction is quicken based not Td Ameritrade.

JustMeHere

Actually the limit is from the OFX standard which is the standard Quicken and the financial institutions use to send you your transaction (Direct Connect).

Unless you are using the extra characters to write out a sentence I can't see how it could make any difference.  Once you exceed about 20 characters there isn't a computer on the face of the Earth that can currently guess your password within the time they estimate the Universe will be around.

Edit:
P.S. I sure hope your financial institutions will lock your account after just a few wrong password attempts, so in reality it doesn't even matter how many passwords can be attempted by the fastest computer.  Not to mention that the financial institution's website wouldn't allow/be able to handle log in attempts at that speed.

splasher

I'm guessing that you use a password manager program to maintain your 64 character passwords.  Do you use a 64 character password to access the password manager or any other means by which you record and encrypt these passwords?  If you don't, then using 64 at TD Ameritrade is pointless.

Ps56k2

some folks have moved from the 8-char password - to the phrase password -

"MyDogHasFleas$2020" -- that's less than 32    can't imagine 64 chars

Charla Kroll

oh how smug you folks are, that have never been hacked. would prefer the 64 and td ameritrade allows it. quicken please put in a fix for this. thanks.

splasher

Not smug, just realistic.  If you do not do everything at 64 characters, then doing one at 64 and the rest at 32 or some lower number, they just have to crack the 32 and get the 64 for free.  I'll be willing to bet the reason you got hacked was not the length/complexity of your passwords but for some far simpler reason.

NotACPA

Charla Kroll said:

oh how smug you folks are, that have never been hacked. would prefer the 64 and td ameritrade allows it. quicken please put in a fix for this. thanks.

Every bank/card/brokerage that Q has contracts with to provide downloads would ALSO have to implement this ... to maintain the standard of uniformity.

AIN'T GONNA HAPPEN!

JustMeHere

Charla Kroll said:

oh how smug you folks are, that have never been hacked. would prefer the 64 and td ameritrade allows it. quicken please put in a fix for this. thanks.

There is never going to be change unless the OFX standard is updated, and they aren't about to do it.  And as such Quicken isn't about to do it because they can't send your password to the financial institution.

And as for "hacking", yes it happens, but not by "guessing the password", which is the only reason for thinking that going from 32 characters to 64 will help.

One form of "hacking" is the "virus".  Once there is a program on your machine that can monitor what you do, no password is ever going to be safe because they can record what you put in.

Another form of "hacking" is when the web site uses "security questions" and the user doesn't realize that they are even more likely to be guessed because the user actually "answers the question" instead of using a random character sequence that might used for their password.

Another form of "hacking" and the most common BTW is hacking the website.  There they are attacking the software being run, not your password.  And note that they might hack say a "game site" when they aren't encrypting passwords, and if the users use the same password everywhere then they might find the users financial institution and try those passwords there.

Here is a website that allows you to put in a password and see how fast it can be guessed "brute force" (no dictionary attack, which would apply for a password like:  G$M4&xp3ofpJnnu$Vjha)

https://www.betterbuys.com/estimating-password-cracking-times/ 

The above 20 character password takes "infinity" in "2020" guessing a 

17,042,497.3kps  (kps keys/password per second.)

I have seen other sites that have it a billions of guesses per second and a 25 character password would take in the trillions of years.

Will Quantum computers change this?
Maybe, but if they do, most likely 64 or a 164 character are going to matter.