Password Length Limitation of Quicken

mcoile
mcoile Member
edited January 15 in Login and Passwords (Mac)
Feature Request: Could Quicken please allow longer passwords than 16 characters to be used? I like to use strong passwords, particularly for banking.

Specific issue: I was unable to link my Fidelity IRA and 403(b) accounts to Quicken for Mac. I spent half an hour on hold with Fidelity and then the better part of an hour doing troubleshooting with Fidelity, only for them to conclude that I was entering the right username and password in the right spot in Quicken, and that I would need to ask Quicken Support.

I called Quicken Support, who spent a half hour walking me through the same exact steps as Fidelity did (make a new user file, etc), then told me that I was doing everything correctly and I needed to talk to Fidelity support. Of course, I had already done this. I then asked the friendly support guru how long the maximum password length was that Quicken could transmit to the bank and he said "16 characters." This should have been brought up in support somewhere, but even more perplexing is why the limit exists in the first place. I changed my password to 16 or fewer characters, and then was able to successfully link my Fidelity and Quicken accounts. The Fidelity support guy (Diego) said that the Quicken community is the place to request a feature change, so I am posting here. Could Quicken please allow longer passwords? Thanks!
2
2 votes

New · Last Updated

Comments

  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    The limitation comes from Fidelity not Quicken.  I believe both Quicken Windows and Mac adhere to the OFX standard of a max of 32 characters. but the that is if the financial institution doesn't restrict it more.  Here is the information Fidelity sends about this from the OFX log.

                    <SIGNONINFOLIST>
                        <SIGNONINFO>
                            <SIGNONREALM>ca71b298cc5711d0b0c39b012cb0aa77
                            <MIN>6
                            <MAX>20
                            <CHARTYPE>ALPHAORNUMERIC
                            <CASESEN>N
                            <SPECIAL>Y
                            <SPACES>N
                            <PINCH>N
                            <CHGPINFIRST>N
                        </SIGNONINFO>
                    </SIGNONINFOLIST>
     
    So in fact you should be able to use 20 characters.

    But I will also state that there isn't anything "insecure" about a 14 character password.  A brute force attempt to guess a random 14 character password would take about 49 billion years with current computer speeds, but it is irrelevant.  Fidelity will lock your account after about 3 tries.
    Signature:
    (I'm always using the latest Quicken Windows Premier subscription version)
    This is my website: http://www.quicknperlwiz.com/
  • jacobs
    jacobs SuperUser, Mac Beta Beta
    Chris_QPW said:
    But I will also state that there isn't anything "insecure" about a 14 character password.  A brute force attempt to guess a random 14 character password would take about 49 billion years with current computer speeds, but it is irrelevant.  Fidelity will lock your account after about 3 tries.
    All true. But… if people use a system of long passcodes or a password manager to generate long passwords, there's really no reason Quicken shouldn't accommodate them. In the old days, passwords on some systems were limited to 8 or 10 or 12 characters, until the IT world switched to saying long password or "pass phrases" are better and more secure.

    I would think 32 characters should be enough for anyone, so if it's correct that the limitation is set by the financial institution, then the pressure should be on them to change. However, although you showed that the OFX from Fidelity allows up to 20 characters, Quicken Support said the limit is 16 characters. So it's possible that the Quicken app is limiting passwords to 16 character. Or it's possible that the Quicken support agent was wrong about there being a 16-character limitation. (I'm not going to post odds on which of those is likely to be wrong. ;) )
    Quicken Mac Subscription • Quicken user since 1993
  • Ps56k2
    Ps56k2 SuperUser ✭✭✭✭✭
    edited January 15
    Did a quick look at our OFX -
    Fidelity - 20
    TRowe - 32
    Vanguard - 20
    Schwab - was missing the related markup text - wonder why ?
    Quicken Subscription - Windows 10
  • Justin K
    Justin K Member
    This isn't limited to the MAC version. The PC version also has this issue. I want to ensure my financial accounts are secure as well and have a long password, Quicken doesn't support it, not very reassuring.
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    edited February 21
    jacobs said:

    However, although you showed that the OFX from Fidelity allows up to 20 characters, Quicken Support said the limit is 16 characters. So it's possible that the Quicken app is limiting passwords to 16 character. Or it's possible that the Quicken support agent was wrong about there being a 16-character limitation. (I'm not going to post odds on which of those is likely to be wrong. ;) )
    I see I never addressed this comment.  My Fidelity password is 19 characters long.
    So, so much for the "16-character limitation" that basically came out of nowhere.

    And as for making it longer than what the financial institution allows, talk to the financial institution.  That goes for situations where you want a longer password or if they allow one thing on their website, but send a different requirement for Quicken.  They are the ones sending the information, at least for Direct Connect accounts.
    Signature:
    (I'm always using the latest Quicken Windows Premier subscription version)
    This is my website: http://www.quicknperlwiz.com/
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    P.S. I'm a Quicken Windows user.  Because this is a restriction coming from the financial institution it is the same for Quicken Mac or Quicken Windows.
    Signature:
    (I'm always using the latest Quicken Windows Premier subscription version)
    This is my website: http://www.quicknperlwiz.com/
  • Ps56k2
    Ps56k2 SuperUser ✭✭✭✭✭
    edited February 21
    Justin K said:  I want to ensure my financial accounts are secure as well and have a long password, Quicken doesn't support it, not very reassuring.
    Its the FI that is telling Quicken what they will allow - down't blame Quicken -
    Did a quick look at our Quicken Windows OFX log file -
    Fidelity - 20
    TRowe - 32
    Vanguard - 20
    Schwab - was missing the related markup text - wonder why ?


    Quicken Subscription - Windows 10
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    Ps56k2 said:
    Schwab - was missing the related markup text - wonder why ?
    I looked it up in the OFX standard, and this information is optional.
    I wonder how Quicken treats it.  I would imagine it has no restrictions other than the OFX standard of no more than 32 characters.
    Signature:
    (I'm always using the latest Quicken Windows Premier subscription version)
    This is my website: http://www.quicknperlwiz.com/
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    edited February 21
    BTW since you have have upper and lower characters (52 characters) plus all the digits (10) plus at least a few "special" characters you have about 65 possibilities per digit.  If you multiply 65 times for every digit that gives you the number of combinations.  So for 14 digits here is the number of combinations:
    24,031,838,291,621,636,962,890,625

    Edit 19 digits:
    2,788,391,667,128,460,141,519,546,508,789,100

    Now with either of these guess my password in three tries.
    Signature:
    (I'm always using the latest Quicken Windows Premier subscription version)
    This is my website: http://www.quicknperlwiz.com/
  • QW26
    QW26 Member ✭✭
    Quicken needs to lengthen the password length max to 128 characters.

    Many people use password managers that generate random-ish passwords up to 40 characters (DashLane) and even up to 128 characters (BitWarden).

    You need massive overkill in password length.

    The website HowSecureIsMyPassword.net currently estimates a 14 character password would take ONE PC 200 million years to crack.

    Sounds great, right?

    But it's not when hackers use much, much more powerful password-cracking operations, not just one PC.

    The motivation to crack passwords of financial sites is much higher than for other types of sites.

    It's prudent to assume every website has been or will be hacked. Even high-end security computer companies get hacked.

    After hacking a site, thieves may take a copy of encrypted passwords in order to decrypt them later on their own machines using brute force with one or more of the following methods:

    • a hacker's personal PC (with extra GPUs) can attempt about 10 billion passwords PER SECOND -- I think this is roughly how HowSecureIsMyPassword estimates a password's strength (the time it'd take just such one PC to crack a password)

    • a hacker can use a network of 30k-100k or more infected victim PCs (a botnet) to crack stolen passwords at a much, much higher rate than a single PC can. This is called "distributed computing" and is usually used for good but can also be used for evil. Hackers even rent their botnets for the purpose of password cracking. That 14 character estimate of 200 million years suddenly drops immensely. You can see some such darkweb rental portals for password cracking on botnets at the renowned security webstie, KrebsOnSecurity, where he included screenshots in articles about this.

    • a hacker can use existing or abandoned cryptocurrency mining machines (which have huge numbers of GPUs) to crack passwords at way, way, way higher rates than a botnet's mediocre partially-employed infected mediocre PCs can. Many bitcoin miners stopped mining when it became unprofitable. Some abandoned, sold or otherwise massive bitcoin mining operations were repurposed for password cracking. Mining generates long blocks of characters called "hashes," which are also what's actually stolen from websites when you hear about hackers stealing masses of passwords from a site. These massive repurposed mining operations rendered weak some previously good encryption methods like Bcrypt. Better encryption methods partially guard against the cracking of some specialized cracking equipment. Argon2(x) replaced Bcrypt years ago but many websites might not even use bcrypt (btw, a recent breach of a popular parking smartphone app tried to assure its customer/victims that all was well because the stolen customer data was encrypted with bcrypt -- oops).

    SUMMARY

    • Popular estimates of password strength only use a single PC to calculate the time to crack

    • Botnets (often tens of thousands of PCs) are sometimes used to crack passwords

    • Cryptocurrency-mining computers (e.g., bitcoin mining computers) are sometimes reused to crack passwords at rates way faster than even botnets

    • CPU speed used to double every 2 or so years but even though that's slowed some, adding GPUs and other PUs has allowed huge surges in speed for single-minded functionality, like generating hashes to mine bitcoin (or crack passwords)

    • Today's barely strong password is tomorrow's weak one

    CONCLUSION

    • Use massive overkill instead of just barely long-enough passwords, which thieves can attack with gargantuan firepower continually or wait and retry with even more massively powerful computers under their control next year or the year after or the year after or the year after

    • Of course, also use 2FA !!!

    • There's not a snowball's chance in Dante's Inferno that I'm going to lower my password strength at my financial institutions just so Quicken can handle it for downloading transactions. I'll continue to manually download and import transactions until Quicken fixes this.

    (Banks used to be and many still are the worst at allowing pathetically short password length minimums and maximums. It's a minor miracle that so many banks now allow much longer passwords.)
  • jacobs
    jacobs SuperUser, Mac Beta Beta
    @QW26 That's a detailed and reasonable take on banking passwords. However, as noted at the top of this thread, Quicken uses the banking industry OFX standard for data interchange, and OFX limits passwords to 32 cleartext characters, unless all parties use a higher level of security which allows encrypted passwords to be up to 171 characters. Even then, it depends on financial institutions to set their password length limits; Quicken doesn't inherently have a length limitation other than the OFX standard.
    Quicken Mac Subscription • Quicken user since 1993
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    edited October 19
    @QW26 You analysis is forgetting a few facts.

    1. How does an "offline" hacking process know that they got the right answer?  Unless they actually break the encryption (and then all bets are off it won't matter how many characters it is) they can't run a "brute force" "offline" attack in parallel on their machine because there is no way to know if the results are correct without sending it to the financial institution.
    2. There isn't a financial institution out there that is going to allow (or even be able) to take billions of password requests a second.  They will lock it after about 3 tries.
    3. You aren't understanding how combinations go up.  Even though the site you named talks about "one computer" I have seen others that show it with trying billions per seconds and the number is still an extremely long time.  For 64 characters with 32 digits the combinations are: 6.2771017353866807638357894232077e+57.  Divide that by 100 billion and you get 6.2771017353866807638357894232077e+46.  Divide that in half for the to get the average time it would take to find a match, so now you have 3.1385508676933403819178947116038e+46.  Next divide by the number of seconds in a year and you get 9.9454675504263327436747240335255e+38 years at 100 billion passwords per second.  The age of the universe is about 1.38+e9 years old.
    4. You aren't worth this kind of computing power.  They don't know what they might get from getting your password.  On the other hand they know what a bitcoin is worth right now, and can use the computing power for that.  Or what a given company is worth to try to hack for ransomware.  There isn't any way they would expend this kind of computing power on anything other that a target they already know is going to return a lot of money.  What's more you are one person out of billions, they have to "find you" first, and how many of these people they probe using such resources can the afford to do?
    5. It is much easier for a hackers to get a virus on people's machines and watch the keyboard strokes for the passwords.
    Signature:
    (I'm always using the latest Quicken Windows Premier subscription version)
    This is my website: http://www.quicknperlwiz.com/