nav[aria-label="Primary Navigation"] { padding: 0; & ul { list-style: none; width: 100%; display: flex; flex-direction: row; justify-content: start; align-items: start; gap: 30px; padding: 0; & li { margin: 0; } & ul li { list-style: none; } } }

Quicken does not ask for Password Vault password when updating individual account

Qckn User

If I start Quicken and immediately and do a transaction download from one of my account registers, Quicken no longer requests the password of the Password Vault and performs the download for the register. I can do this for each account individually and never have to enter my Password Vault password.

This seems like a security violation or, at least, diminishes the protection of the Password Vault. Is this still occurring in R52.20?

This question should be moved to another category but I don't see a way to do it.

Find more posts tagged with

Accepted answers

splasher

If you read the webpages that you cited carefully, you will notice that they are almost always referring to security of the information being transmitted between their and aggregator servers and you. The only reference I saw to local security is that you can put a password on your data file to prevent others from opening your data file. Now that does not encrypt the data file, it just acts as a lockout and it CAN be removed by Quicken if you forget it.

EWC+ is the newest of the protocols and uses tokens, but EWC has always used a password and it used to be stored in the PV, but Quicken never used it from there since it was stored on the aggregation servers for the nightly data pickups that the aggregator (Intuit) did to have the data ready for you to download. So. it was decided several versions back to not store them in the PV since they weren't needed locally.

All comments

splasher

Look on the Account List (Tools menu) to see which download process is used. (Direct Connect, Express Web Connect or Web Connect).

I'm guessing EWC.

Qckn User

@splasher Correct. It appears to happen for EWC and EWC+ accounts. Is that a bug?

splasher

For EWC and EWC+ the password is no longer stored in the Password Vault. It or a token is stored on the aggregation server depending on whether it is EWC or EWC+ (respectively). Only Direct Connect account passwords are now stored in the Password Vault.

Is it a bug? Depends on your frame of mind. If the FI's password is not in the Password Vault, why should the PV's password be asked for. The other side of the coin is that anyone with access to your Quicken installation and data file could initiate a download which some folks might consider to be un-secure. But then, that is an issue of physical security which really isn't Quicken's responsibility IMHO.

Personally, I keep my data file in an encrypted data vault and only have it accessible when I am actively using Quicken so no one could do that to me (the Mrs. wouldn't do it regardless).

Qckn User

I didn't know about EWC and EWC+ passwords no longer in the Password Vault.

"Password Vault" is kind of a misnomer now since it doesn't do what its help definition states.

Evidently it is no longer a password repository for all accounts and passwords.

I would expect Quicken secured data as they advertise:
How Quicken Protects Financial Information

I did a string search of the datafile, it appears that the datafile has very basic encryption as I was able to locate account numbers (but w/o FI name), and my quicken account id. It seems one would have to be a Quicken expert to decipher the strings located in the file.

splasher

Boatnmaniac

This Support Article talks about the various connection methods used by Quicken: https://www.quicken.com/support/how-quicken-connects-your-bank .

If you scroll down near the end of the article and expand the section about EWC you will see it clearly states that our login information is saved on the aggregator's (i.e., Intuit) servers.

If you scroll down below that and expand the section about EWC+ you will see that tokens, not login information, are saved on the aggregator's servers. These tokens are provided by the financial institutions to the servers when we do the EWC+ authorization setup process. Tokens are more secure than logins which is at least one reason why Quicken promotes EWC+ as a safer and more secure process….at least relative to EWC.