Citibank password length affecting transaction download capability

tired techie
tired techie Member ✭✭
I connect to Citibank using Express Web Connect. When I look in my Quicken password vault for the Citibank account, the Password Stored field says Not Required. I believe this is because Quicken has stored my credentials at their third-party service provider. [ Is that still Intuit? ]

Recently, I changed my password at Citibank to 48 characters. Quicken couldn't log in because it has the old password stored offsite. When I supplied the new password, it failed to log in. Sometimes I would get CC-502, and sometime CC-503.

A call to Quicken support, and the agent tells me I have to limit my Citibank password to 16 characters. This must be a new requirement, because I have another Citibank account, with a separate login that still works and uses a longer password. I suspect if I change that password at Citibank, then Quicken will require the new password to be no longer than 16 characters.

1) Is this correct, that Quicken has a 16 character limitation for Citibank Express Web Connect passwords?
2) Is this documented anywhere?
3) In this age of hacking, why would any programmer be allowed to limit bank passwords to 16 characters?

As I said above, Citibank supports passwords MUCH longer than 16 characters.


  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    The limit should be 32 characters, not 16, provided the financial institution allows it to be that long.

    The main reason for 32 characters is because Quicken follows the OFX standard, it says the max is 32 characters.

    Note that 32 characters is way more than you need.  Let's say you have 52 letters, 10 digits, and 5 more "special characters" for a total of 67 possible characters.  With a 32-character password that gives you this many permutations (note that it isn't combinations because with combinations order doesn't matter):

    And if trying at 1 billion per second (31536000 in a year) the number of years on average (1/2 of max) is:
    431079215492665708373956219209188609145290175461616 years

    To show how having 67 possible combinations grow let's look at that poor 16-character password:
    And if trying at 1 billion per second (31536000 in a year) the number of years on average (1/2 of max) is:
    372792649879818911709 years

    But note, your financial institution is going to lock the account after about 3 tries.
    This is my website:
This discussion has been closed.