How does Quicken secure Password Vault for Windows subscription customer

Marbu
Marbu Member
On its Help pages, Quicken says that its Password Vault "went through a rigorous security review" and "uses industry-standard encryption to save your passwords" but it does not say how it does this. Since the Vault holds the keys to my financial crown jewels, it would be nice to know more than the vague platitudes offered on the Help page.

Where can I obtain a more definitive description of where and how the Vault is stored (for example, on my machine or in the cloud?), how it is encrypted, whether it is recoverable, what protections Quicken has in place to secure the information, further detail on the security review (i.e. who did it, when, and what they determined?), and why Quicken still thinks its solution is secure?

Best Answer

  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    Answer ✓
    The password vault is stored in the Quicken Desktop data file, and they say it is encrypted (but not what method of encryption).  Unlike the data file password, which you can request to have be removed, if you forget the password of the Password Vault you have to remove it and re-enter passwords.  That is a good indication that is really encrypted.

    Note though the Password Vault isn’t the only place where your passwords are stored depending on what services you use.  For Direct Connect that is where they are, but for Express Web Connect they are stored on the Quicken/Intuit servers.  If you use Online Bills/Quicken Bill pay they would be saved at the third party service provider’s servers and may on Quicken servers.

    Needless to say if you use sync to Mobile/Web they will be stored on the Quicken servers.  The statement on these locations is “bank level encryption/procedures”.

    No one is going to ever tell you the details.  It is pretty clear that if they even know all the details it is part of their “security policy” not to put out the details.
    Signature:
    This is my website: http://www.quicknperlwiz.com/

Answers

  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    Answer ✓
    The password vault is stored in the Quicken Desktop data file, and they say it is encrypted (but not what method of encryption).  Unlike the data file password, which you can request to have be removed, if you forget the password of the Password Vault you have to remove it and re-enter passwords.  That is a good indication that is really encrypted.

    Note though the Password Vault isn’t the only place where your passwords are stored depending on what services you use.  For Direct Connect that is where they are, but for Express Web Connect they are stored on the Quicken/Intuit servers.  If you use Online Bills/Quicken Bill pay they would be saved at the third party service provider’s servers and may on Quicken servers.

    Needless to say if you use sync to Mobile/Web they will be stored on the Quicken servers.  The statement on these locations is “bank level encryption/procedures”.

    No one is going to ever tell you the details.  It is pretty clear that if they even know all the details it is part of their “security policy” not to put out the details.
    Signature:
    This is my website: http://www.quicknperlwiz.com/
  • Marbu
    Marbu Member
    Thanks Chris. This is very helpful. In this day and age, I would like to think that Quicken would be more forthcoming about how it does its security. I appreciate that protecting some details would be good for security, but the burden should be on them to let their customers know enough to trust what they do. At the moment, I lack confidence that they have their side figured out completely.

    I have avoided using the Mobile/Web version since it was not clear to me what was on the Quicken servers and how it is stored. Based on your comments about Express Web Connect, I am going to rethink how I download data from accounts that rely upon it.
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    Marbu said:
    I have avoided using the Mobile/Web version since it was not clear to me what was on the Quicken servers and how it is stored. Based on your comments about Express Web Connect, I am going to rethink how I download data from accounts that rely upon it.
    It doesn't really take much to understand that Mobile/Web have your passwords stored on the server.  First off they "update in the night".  Second off you can update from them and not be prompted for passwords.

    On Express Web Connect, the downloading and caching of transactions "nightly" has always been the "main process" on the Intuit server.  And it remains that way even though it is more "interactive" these days.

    Recently this has gotten "more visible" in that they have even stopped saving the usernames/passwords for Express Web Connect in the Password Vault.  Since they start moving people to the connection method they are calling QCS (Quicken Connection Services).

    Before:
    Quicken -> Intuit server -> financial institution's website

    Now:
    Quicken -> QCS -> Intuit server -> financial intuition's website

    QCS is the same sync system as sync to Mobile/Web (actually to a "cloud account data set"), but not make it available to the Mobile/Web GUI programs unless you turn on sync to Mobile/Web.

    See this for details about QCS:
    https://community.quicken.com/discussion/7882641/qcs-express-web-connect-is-cloud-sync

    Signature:
    This is my website: http://www.quicknperlwiz.com/
This discussion has been closed.