Security issue: Quicken not asking for vault password before online update
Options
KDL
Member ✭✭✭
Lately, Quicken Premier (R33.24) is allowing me to do an online update for an account without asking me to enter the vault password. It simply proceeds to the online update for an account. This occurs after starting up Quicken, viewing one of my bank accounts, clicking the gear icon in the upper right corner, and selecting update now. I can select a few other accounts right after that and it allows the same thing. If I switch to one of my credit card accounts, it then asks for the vault PW. And following that, it doesn't ask again during the same session. So it appears that there is a problem with Quicken thinking that I have already entered the vault PW when logging in, for a short period of time. I'm on a Windows 10 Enterprise system.
Tagged:
0
Comments
-
Quicken no longer stores your Express Web Connect passwords in the Password Vault. It stores them on Quicken's server.
Thus, if you update transactions or One Step Update and only have selected Express Web Connect accounts, the update will continue with no prompt.
If you update transactions or One Step Update and you have included Direct Connect accounts, then you will be required to enter your password for the Password Vault.1 -
Interesting. I had no idea that any of my passwords were stored anywhere off my computer. Not sure how I feel about that. But that does answer the question.0
-
At one time, the Quicken password vault "stored" your Express Web Connect passwords in the vault. But, they really didn't use it at all.
Think about it. Direct Connect is a direct connection from your Quicken software to your bank. It needs your userid and password to log in...and you get your transactions right then and there, but usually only once per day. Quicken connects to your bank...and your bank downloads a transaction file automatically. The flow is Quicken software to bank.
Express Web Connect (and Quicken Connect on Quicken Mac) downloads transactions from your bank to Quicken's servers, usually during the middle of the night. They obviously need your password to log in, and since your Quicken software is closed, the userid and password resides on Quicken's servers (QCS) so they can log in while you're asleep.
Now, when you initiate a One Step Update, or Update Transactions from the register, Quicken will retrieve those transactions from the Quicken server...they've already been downloaded there waiting for you to get them. So, there really is no need for the bank's userid and password. Quicken is just connecting you to their own (well, Intuit's servers) to retrieve those transactions. So the flow is QCS server to bank...Quicken software to QCS server.
So, a few updates ago, Quicken programmers got rid of the Express Web Connect passwords stored in the vault...and if you start a One Step Update, you'll see a little key next to the EWC banks. The key means Quicken has the encrypted userid and password for that account on its QCS server.
As to storing that info offsite, if that's a problem the only remedy is to switch to Direct Connect banks...or download a transaction .qfx data file and import it into Quicken (known as Web Connect)...or manually enter transactions.
You're not the only person with those concerns.
0 -
Just so you know, when they first made this change clicking on the gold key of an Express Web Connect account only gave you a message explaining where the password went, but they have changed that and now if you click on that gold key it will allow you to update your password.Signature:
This is my website: http://www.quicknperlwiz.com/1
This discussion has been closed.