Password Length Limitation of Quicken

mcoile
mcoile Member
edited October 2023 in Login and Passwords

Feature Request: Could Quicken please allow longer passwords than 16 characters to be used? I like to use strong passwords, particularly for banking.

Specific issue: I was unable to link my Fidelity IRA and 403(b) accounts to Quicken for Mac. I spent half an hour on hold with Fidelity and then the better part of an hour doing troubleshooting with Fidelity, only for them to conclude that I was entering the right username and password in the right spot in Quicken, and that I would need to ask Quicken Support.

I called Quicken Support, who spent a half hour walking me through the same exact steps as Fidelity did (make a new user file, etc), then told me that I was doing everything correctly and I needed to talk to Fidelity support. Of course, I had already done this. I then asked the friendly support guru how long the maximum password length was that Quicken could transmit to the bank and he said "16 characters." This should have been brought up in support somewhere, but even more perplexing is why the limit exists in the first place. I changed my password to 16 or fewer characters, and then was able to successfully link my Fidelity and Quicken accounts. The Fidelity support guy (Diego) said that the Quicken community is the place to request a feature change, so I am posting here. Could Quicken please allow longer passwords? Thanks!

16
16 votes

Reviewed · Last Updated

Comments

  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    The limitation comes from Fidelity not Quicken.  I believe both Quicken Windows and Mac adhere to the OFX standard of a max of 32 characters. but the that is if the financial institution doesn't restrict it more.  Here is the information Fidelity sends about this from the OFX log.

                    <SIGNONINFOLIST>
                        <SIGNONINFO>
                            <SIGNONREALM>ca71b298cc5711d0b0c39b012cb0aa77
                            <MIN>6
                            <MAX>20
                            <CHARTYPE>ALPHAORNUMERIC
                            <CASESEN>N
                            <SPECIAL>Y
                            <SPACES>N
                            <PINCH>N
                            <CHGPINFIRST>N
                        </SIGNONINFO>
                    </SIGNONINFOLIST>
     
    So in fact you should be able to use 20 characters.

    But I will also state that there isn't anything "insecure" about a 14 character password.  A brute force attempt to guess a random 14 character password would take about 49 billion years with current computer speeds, but it is irrelevant.  Fidelity will lock your account after about 3 tries.
    Signature:
    This is my website: http://www.quicknperlwiz.com/
  • jacobs
    jacobs SuperUser, Mac Beta Beta
    Chris_QPW said:
    But I will also state that there isn't anything "insecure" about a 14 character password.  A brute force attempt to guess a random 14 character password would take about 49 billion years with current computer speeds, but it is irrelevant.  Fidelity will lock your account after about 3 tries.
    All true. But… if people use a system of long passcodes or a password manager to generate long passwords, there's really no reason Quicken shouldn't accommodate them. In the old days, passwords on some systems were limited to 8 or 10 or 12 characters, until the IT world switched to saying long password or "pass phrases" are better and more secure.

    I would think 32 characters should be enough for anyone, so if it's correct that the limitation is set by the financial institution, then the pressure should be on them to change. However, although you showed that the OFX from Fidelity allows up to 20 characters, Quicken Support said the limit is 16 characters. So it's possible that the Quicken app is limiting passwords to 16 character. Or it's possible that the Quicken support agent was wrong about there being a 16-character limitation. (I'm not going to post odds on which of those is likely to be wrong. ;) )
    Quicken Mac Subscription • Quicken user since 1993
  • Ps56k2
    Ps56k2 SuperUser ✭✭✭✭✭
    edited January 2021
    Did a quick look at our OFX -
    Fidelity - 20
    TRowe - 32
    Vanguard - 20
    Schwab - was missing the related markup text - wonder why ?

    QWin - R54.16 - Win10

  • Justin K
    Justin K Member
    This isn't limited to the MAC version. The PC version also has this issue. I want to ensure my financial accounts are secure as well and have a long password, Quicken doesn't support it, not very reassuring.
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    edited February 2021
    jacobs said:

    However, although you showed that the OFX from Fidelity allows up to 20 characters, Quicken Support said the limit is 16 characters. So it's possible that the Quicken app is limiting passwords to 16 character. Or it's possible that the Quicken support agent was wrong about there being a 16-character limitation. (I'm not going to post odds on which of those is likely to be wrong. ;) )
    I see I never addressed this comment.  My Fidelity password is 19 characters long.
    So, so much for the "16-character limitation" that basically came out of nowhere.

    And as for making it longer than what the financial institution allows, talk to the financial institution.  That goes for situations where you want a longer password or if they allow one thing on their website, but send a different requirement for Quicken.  They are the ones sending the information, at least for Direct Connect accounts.
    Signature:
    This is my website: http://www.quicknperlwiz.com/
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    P.S. I'm a Quicken Windows user.  Because this is a restriction coming from the financial institution it is the same for Quicken Mac or Quicken Windows.
    Signature:
    This is my website: http://www.quicknperlwiz.com/
  • Ps56k2
    Ps56k2 SuperUser ✭✭✭✭✭
    edited February 2021
    Justin K said:  I want to ensure my financial accounts are secure as well and have a long password, Quicken doesn't support it, not very reassuring.
    Its the FI that is telling Quicken what they will allow - down't blame Quicken -
    Did a quick look at our Quicken Windows OFX log file -
    Fidelity - 20
    TRowe - 32
    Vanguard - 20
    Schwab - was missing the related markup text - wonder why ?


    QWin - R54.16 - Win10

  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    Ps56k2 said:
    Schwab - was missing the related markup text - wonder why ?
    I looked it up in the OFX standard, and this information is optional.
    I wonder how Quicken treats it.  I would imagine it has no restrictions other than the OFX standard of no more than 32 characters.
    Signature:
    This is my website: http://www.quicknperlwiz.com/
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    edited February 2021
    BTW since you have have upper and lower characters (52 characters) plus all the digits (10) plus at least a few "special" characters you have about 65 possibilities per digit.  If you multiply 65 times for every digit that gives you the number of combinations.  So for 14 digits here is the number of combinations:
    24,031,838,291,621,636,962,890,625

    Edit 19 digits:
    2,788,391,667,128,460,141,519,546,508,789,100

    Now with either of these guess my password in three tries.
    Signature:
    This is my website: http://www.quicknperlwiz.com/
  • QW26
    QW26 Member ✭✭
    Quicken needs to lengthen the password length max to 128 characters.

    Many people use password managers that generate random-ish passwords up to 40 characters (DashLane) and even up to 128 characters (BitWarden).

    You need massive overkill in password length.

    The website HowSecureIsMyPassword.net currently estimates a 14 character password would take ONE PC 200 million years to crack.

    Sounds great, right?

    But it's not when hackers use much, much more powerful password-cracking operations, not just one PC.

    The motivation to crack passwords of financial sites is much higher than for other types of sites.

    It's prudent to assume every website has been or will be hacked. Even high-end security computer companies get hacked.

    After hacking a site, thieves may take a copy of encrypted passwords in order to decrypt them later on their own machines using brute force with one or more of the following methods:

    • a hacker's personal PC (with extra GPUs) can attempt about 10 billion passwords PER SECOND -- I think this is roughly how HowSecureIsMyPassword estimates a password's strength (the time it'd take just such one PC to crack a password)

    • a hacker can use a network of 30k-100k or more infected victim PCs (a botnet) to crack stolen passwords at a much, much higher rate than a single PC can. This is called "distributed computing" and is usually used for good but can also be used for evil. Hackers even rent their botnets for the purpose of password cracking. That 14 character estimate of 200 million years suddenly drops immensely. You can see some such darkweb rental portals for password cracking on botnets at the renowned security webstie, KrebsOnSecurity, where he included screenshots in articles about this.

    • a hacker can use existing or abandoned cryptocurrency mining machines (which have huge numbers of GPUs) to crack passwords at way, way, way higher rates than a botnet's mediocre partially-employed infected mediocre PCs can. Many bitcoin miners stopped mining when it became unprofitable. Some abandoned, sold or otherwise massive bitcoin mining operations were repurposed for password cracking. Mining generates long blocks of characters called "hashes," which are also what's actually stolen from websites when you hear about hackers stealing masses of passwords from a site. These massive repurposed mining operations rendered weak some previously good encryption methods like Bcrypt. Better encryption methods partially guard against the cracking of some specialized cracking equipment. Argon2(x) replaced Bcrypt years ago but many websites might not even use bcrypt (btw, a recent breach of a popular parking smartphone app tried to assure its customer/victims that all was well because the stolen customer data was encrypted with bcrypt -- oops).

    SUMMARY

    • Popular estimates of password strength only use a single PC to calculate the time to crack

    • Botnets (often tens of thousands of PCs) are sometimes used to crack passwords

    • Cryptocurrency-mining computers (e.g., bitcoin mining computers) are sometimes reused to crack passwords at rates way faster than even botnets

    • CPU speed used to double every 2 or so years but even though that's slowed some, adding GPUs and other PUs has allowed huge surges in speed for single-minded functionality, like generating hashes to mine bitcoin (or crack passwords)

    • Today's barely strong password is tomorrow's weak one

    CONCLUSION

    • Use massive overkill instead of just barely long-enough passwords, which thieves can attack with gargantuan firepower continually or wait and retry with even more massively powerful computers under their control next year or the year after or the year after or the year after

    • Of course, also use 2FA !!!

    • There's not a snowball's chance in Dante's Inferno that I'm going to lower my password strength at my financial institutions just so Quicken can handle it for downloading transactions. I'll continue to manually download and import transactions until Quicken fixes this.

    (Banks used to be and many still are the worst at allowing pathetically short password length minimums and maximums. It's a minor miracle that so many banks now allow much longer passwords.)
  • jacobs
    jacobs SuperUser, Mac Beta Beta
    @QW26 That's a detailed and reasonable take on banking passwords. However, as noted at the top of this thread, Quicken uses the banking industry OFX standard for data interchange, and OFX limits passwords to 32 cleartext characters, unless all parties use a higher level of security which allows encrypted passwords to be up to 171 characters. Even then, it depends on financial institutions to set their password length limits; Quicken doesn't inherently have a length limitation other than the OFX standard.
    Quicken Mac Subscription • Quicken user since 1993
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    edited October 2021
    @QW26 You analysis is forgetting a few facts.

    1. How does an "offline" hacking process know that they got the right answer?  Unless they actually break the encryption (and then all bets are off it won't matter how many characters it is) they can't run a "brute force" "offline" attack in parallel on their machine because there is no way to know if the results are correct without sending it to the financial institution.
    2. There isn't a financial institution out there that is going to allow (or even be able) to take billions of password requests a second.  They will lock it after about 3 tries.
    3. You aren't understanding how combinations go up.  Even though the site you named talks about "one computer" I have seen others that show it with trying billions per seconds and the number is still an extremely long time.  For 64 characters with 32 digits the combinations are: 6.2771017353866807638357894232077e+57.  Divide that by 100 billion and you get 6.2771017353866807638357894232077e+46.  Divide that in half for the to get the average time it would take to find a match, so now you have 3.1385508676933403819178947116038e+46.  Next divide by the number of seconds in a year and you get 9.9454675504263327436747240335255e+38 years at 100 billion passwords per second.  The age of the universe is about 1.38+e9 years old.
    4. You aren't worth this kind of computing power.  They don't know what they might get from getting your password.  On the other hand they know what a bitcoin is worth right now, and can use the computing power for that.  Or what a given company is worth to try to hack for ransomware.  There isn't any way they would expend this kind of computing power on anything other that a target they already know is going to return a lot of money.  What's more you are one person out of billions, they have to "find you" first, and how many of these people they probe using such resources can the afford to do?
    5. It is much easier for a hackers to get a virus on people's machines and watch the keyboard strokes for the passwords.
    Signature:
    This is my website: http://www.quicknperlwiz.com/
  • dljustice
    dljustice Member ✭✭
    I just ran into the same issue. I have been trying to ensure all of my passwords are overkill-level secure whenever possible. I either use iCloud Keychain to generate the password or in the case of a shorter character limit imposed by the vendor, I use the maximum number of characters with completely random alphanumeric and special characters. 20 characters are the standard for keychain's randomly generated passwords, OFX standard is 20; Quicken should support that standard.
  • Chris_QPW
    Chris_QPW Member ✭✭✭✭
    dljustice said:
    I just ran into the same issue. I have been trying to ensure all of my passwords are overkill-level secure whenever possible. I either use iCloud Keychain to generate the password or in the case of a shorter character limit imposed by the vendor, I use the maximum number of characters with completely random alphanumeric and special characters. 20 characters are the standard for keychain's randomly generated passwords, OFX standard is 20; Quicken should support that standard.
    Actually the OFX standard is 32 characters in plain text, and Quicken does support that.
    What tends to be the problem in most cases is that the information that Quicken gets from the financial institution doesn’t match what they will allow on their website.  Personally I don’t think that Quicken should do this check, it should let the user put in any password up to 32 characters with the exception of the “special characters” when using Express Web Connect/Quicken connect, and let it fail to log in if the financial institution rejects it and report that.

    The exception I mentioned for Express Web Connect/Quicken Connect is because there are a few special characters that can be used because they will get lost in when trying to send them through the Intuit’s servers/financial institution’s website.  This doesn’t apply to Direct Connect. And it should tell the user why it is rejecting them.

    Note that one of the complaints was that the limit wasn’t 40 characters or even 128.  For those as I stated above they are really way overkill.
    Signature:
    This is my website: http://www.quicknperlwiz.com/
  • Quicken Anja
    Quicken Anja Moderator mod

    Hello All,

    The Community Support team regularly reviews long-standing posts and Ideas for relevancy and current interest. This Idea seems to have stalled and we would like to gauge the current interest in this request. 

    If you would like to see this idea implemented, please add your vote and a comment explaining how this idea would be beneficial for you. More information, including steps to vote and how to submit your own Ideas for future product features/improvements, is also available here.

    Thank you,

    Quicken Community Support Team

    -Quicken Anja
    Make sure to sign up for the email digest to see a round up of your top posts.

  • Stuart Dole
    Stuart Dole Member ✭✭
    Hi Quicken Anja - I just found that Quicken does not support long passwords for bank accounts. My current passwords are managed by 1Password, and typically run 20-30 characters (Latin alphabet). But - really?
    (1) Quicken's 16-character limit is archaic. Password managers (Keychain, 1Password) allow and encourage much longer passwords.
    (2) It should really be variable length - it feels like an old DOS program that's forcing you into a fixed-length field.
    (3) It's making a lot more work for me when I don't have a lot of time - to go back and change the bank passwords to be a lot shorter. The password change process for this bank is long and arduous.
  • jtkqboston
    jtkqboston Member ✭✭

    Well, yes we can blame Quicken. If the OFX says the max password length is 20, and the user has used something longer, Quicken should post a warning or error message about that. (Assuming the max password length is available before login…otherwise you don't know until you login that your password was shorter than the limit specified in the QFX)

  • Randy 415
    Randy 415 Windows Beta Beta

    Security is an issue these days. Having longer passwords is helpful. Allowing the current max of 32 characters for all FI's will be better. Users asking Fidelity (or other FI's) for help will be a start. Having Quicken back that request up, by making their own inquiry will also help. And finally, updating the OFX standards for 128 character passwords would be a good thing. Let's all work together to move forward. This particular request is to Quicken. Please consider working with the FI's to make passwords longer, knowing that we have made the same request of our FI's. (at least 32 for now, until the standards get modified).

  • jacobs
    jacobs SuperUser, Mac Beta Beta

    If this is important to you, make sure you add your vote to this thread (in the yellow box at the top of the thread, under the first post). At this time, this Idea thread has only 15 votes; it needs more votes in order for the site moderators to officially forward this enhancement request to the development team.

    Quicken Mac Subscription • Quicken user since 1993