One Step Update now performs update without password

Frustrated2_
Frustrated2_ Quicken Windows Subscription Member ✭✭

I have Windows 11 Pro (23H2) build 22631.3737. My Dell Alienware PC is current with all of the latest available updates as of June 19th, 2024. I use Quicken Classic for Windows, now version 57.16, and have been a Quicken user for 20 years. (This is a new account.) I am seeing that I no longer have to enter a password to run Quicken One Step Update (OSU). All of my banks are using their own express connect systems, so it is my understanding that Quicken no longer stores the specific passwords needed to access the banks for OSU downloads. These banks are American Express, Bank of America, Chase, Citi, and Wells Fargo. I BELIEVE this began with a recent update. I can't pinpoint which update this was, or how long this has been going on, but I just noticed it yesterday. I have gone back a few times and even reinstalled Quicken from scratch to make sure this wasn't an installation issue. Here is what is happening: I start OSU by clicking on the OSU icon within Quicken right after launching Quicken. Quicken will immediately prompt me to enter the OSU password. However, instead of entering the password, I close the password dialogue box or click on SKIP, and then in the next window, which lists each bank, I click on "Update Now" (see screenshot).

Quicken proceeds to perform the one step update, even though no password was entered. New transactions are downloaded into the registers without entering the one step update password!!!!

This seems like a complete security failure. Is Quicken's software development team aware of how easy it is to completely bypass what used to be a security measure???? Can we expect a new Quicken version to be released sometime soon???

Comments

  • splasher
    splasher Quicken Windows Subscription SuperUser ✭✭✭✭✭

    You have two choices, 1) password protect your data file (File menu) or 2) keep your data file in an encrypted data vault (that only you know the password to) if you want to secure your Quicken information from prying eyes.

    Personally, I use the encrypted data vault method and only have the file accessible when I am actively using Quicken. I don't feel a file password is of much use if Quicken can remove it for you if you provide enough information to them.

    If you feel that this is a security failure, then create a new post as an idea being sure to describe in clear terms what you think should be changed. The way loan accounts are downloaded is a good example of poorly worded ideas turned into features in Quicken done badly.

    -splasher using Q continuously since 1996
    - Subscription Quicken - Win11 and QW2013 - Win11
    -Questions? Check out the Quicken Windows FAQ list

  • Ps56k2
    Ps56k2 Quicken Windows Subscription Alumni ✭✭✭✭

    any of the accounts listed - with the gold key - are using the new EWC+ protocol and do not require manual entry of any password -
    that function was completed when you walked thru the Quicken authorization process with each bank website - and a secure token was created between the bank and your Quicken

  • mshiggins
    mshiggins Quicken Windows 2017 SuperUser ✭✭✭✭✭

    The password you're referring to as the OSU (One Step Update) password is not a One Step Update password: it's the Quicken Password Vault password. 

    Neither Express Web Connect downloads nor Express Web Connect downloads store passwords in the Quicken Password Vault (*).

    The only time the user is currently required to supply the Password Vault password is when there are Direct Connect downloads selected to be downloaded.


    Having said that; there does seem to be something peculiar in your screenshot. 

    Usually when a password is required during One Step Update, but is not stored in the Vault (meaning, when a Direct Connect download is being attempted for a financial institution that has no password in the Vault); Quicken will present the same "Fill Passwords" box in the upper-right corner that appears in your screenshot ... but Quicken will also present an empty box to the right of the financial institution name whose password is not in the vault so the user can enter the password at that time. In your screenshot, the "Fill Passwords" box is in the upper-right, but no displayed financial institution has a box where you could enter the financial institution password. I'm not sure how that causes any problem, but I don't understand it.

    Of the financial institutions shown in your screenshot, I believe only Citi Cards and Wells Fargo Bank currently permit Direct Connect downloads. And since neither of the two Citi Card FI's have a gold key beside them, that seems like further evidence that they are using the Direct Connect connection method (and Wells Fargo is using Express Web Connect or Express Web Connect+). So that suggests that only Citi Cards could have a password in the Vault thus requiring the Password Vault password to do a One Step Update. 


    [ (*) If you create a New Quicken file and setup/activate only accounts that download using Express Web Connect+, you won't even get the opportunity to create a Password Vault. And there will be no Password Vault created, thus no way for Quicken to ask for the Password Vault password.

    And if you setup/activate some accounts that download using Express Web Connect, you may be asked if you want to store the password in the Password Vault, but it doesn't matter because it won't be stored there anyway. I think that offer to store the Express Web Connect password is just left over code from the days when Express Web Connect passwords were stored in the Vault. If you refuse the offer to store Express Web Connect passwords in the Password Vault, no Vault will be created.

    Express Web Connect+ passwords have never been stored in the Vault, and Express Web Connect passwords have not been stored in the Vault for years. So I'm unclear what specific change you're suddenly experiencing.]

    -JP

    Quicken user since Q1999. Currently using QW2017.
    Questions? Check out the Quicken Windows FAQ list

  • UKR
    UKR Quicken Windows Subscription SuperUser ✭✭✭✭✭

    I haven't seen it mentioned in this discussion, but …
    Under normal circumstances, if you run more than one One Step Update per Quicken session, the Vault Password is not required for the 2nd and subsequent OSUs.

    And then, yes, if there's a special situation, as indicated by the image your provided, this may not apply.
    It might be best if you contacted Quicken Support on the phone during posted hours of operation and discussed this issue with a support rep.

  • Boatnmaniac
    Boatnmaniac Quicken Windows Subscription SuperUser ✭✭✭✭✭

    And if you setup/activate some accounts that download using Express Web Connect, you may be asked if you want to store the password in the Password Vault, but it doesn't matter because it won't be stored there anyway. I think that offer to store the Express Web Connect password is just left over code from the days when Express Web Connect passwords were stored in the Vault. If you refuse the offer to store Express Web Connect passwords in the Password Vault, no Vault will be created.

    If during the setup process for an EWC financial institution/account you check the box to save the login information in the PW Vault, that financial institution/account will show up in the PW Vault but that login information is not actually saved there. It will, however, require you to enter the PW Vault PW before OSU can be completed for that EWC financial institution/account.

    It that box is not checked during the setup process, it will not show up in the PW Vault and OSU can/will be processed without needing to enter the PW Vault PW.

    Quicken Classic Premier (US) Subscription: R59.6 on Windows 11

  • Chris_QPW
    Chris_QPW Quicken Windows Subscription Member ✭✭✭✭

    This isn't correct, some financial institutions that support Direct Connect will support changing the password through Quicken, and if that is the case clicking on the gold key is the way you would change it.

    I agree with JP there is something wrong with this if this first time you have started One Step Update since starting Quicken (as others have mentioned, once you enter your Password Vault password it is "open" and will be used without prompting you until you restart Quicken).

    I recently bit the bullet and changed my last Direct Connect account to Express Web Connect + and as such I no longer have any passwords in my Password Vault and this is what I see:

    You see there isn't any "Fill Passwords"…

    But actually, saying that I might have an idea of why that is there.

    If you recently changed a Direct Connect account over to Express Web Connect + and it was the "last one" like mine was. Quicken might still see the Password Vault and put up that "Fill Passwords". Once I knew that I didn't have any more Direct Connect accounts I deleted the Password Vault, so that might be the difference.

    I would go to the account list (Ctrl+A) and check to see if any of your accounts are actually setup for Direct Connect.

    Please note something else unlike Express Web Connect where your username and password are stored on the Intuit server (Quicken Inc's aggregator "to login as you") Express Web Connect + works with a new protocol called FDX, which uses rotating security tokens. Which means that your username and password are no longer shared with any third-party. You authorize Intuit to contact your financial institution(s) using this secure rotating token system.

    Signature:
    This is my website: http://www.quicknperlwiz.com/
  • mshiggins
    mshiggins Quicken Windows 2017 SuperUser ✭✭✭✭✭

    "If during the setup process for an EWC financial institution/account you check the box to save the login information in the PW Vault, that financial institution/account will show up in the PW Vault but that login information is not actually saved there. It will, however, require you to enter the PW Vault PW before OSU can be completed for that EWC financial institution/account."

    I didn't say that activating an EWC account would not cause an entry in the Password Vault. I said the EWC password would not be stored there - which you confirm.

    As I indicated in my previous post, I setup my EWC account in a New Quicken file (thus a file that had never had a password vault before); Quicken did create a Password Vault (when I checked the box, "Save to password vault"), with an entry for the EWC financial institution (with no password in it).  

    But I am not asked to enter the Vault Password to do a OSU. 

    I just tested again (in R57.16)

    Given that there are no passwords in the Vault, it makes sense to me that Quicken would not ask me to supply the Vault password to do a OSU.

    -JP

    Quicken user since Q1999. Currently using QW2017.
    Questions? Check out the Quicken Windows FAQ list

  • Boatnmaniac
    Boatnmaniac Quicken Windows Subscription SuperUser ✭✭✭✭✭
    edited June 29

    @mshiggins -

    I didn't say that activating an EWC account would not cause an entry in the Password Vault. I said the EWC password would not be stored there - which you confirm.

    I'm not sure I understand the point you were trying to make here. I never said anything about activating an EWC account would not cause an entry in the PW Vault and never said that you had. I think we are both aligned on this matter.

    Now here is where we did disagree. You said:

    …I setup my EWC account in a New Quicken file (thus a file that had never had a password vault before); Quicken did create a Password Vault (when I checked the box, "Save to password vault"), with an entry for the EWC financial institution (with no password in it).  

    But I am not asked to enter the Vault Password to do a OSU. 

    I just tested again (in R57.16)

    Given that there are no passwords in the Vault, it makes sense to me that Quicken would not ask me to supply the Vault password to do a OSU.

    I had previously stated that when an EWC account is added to PW Vault there would be a prompt to enter the Vault PW when initiating OSU. That is based upon many instances of doing OSU for singular and multiple EWC accounts (with EWC+ and DC accounts not included) in multiple data files over time. This happened very consistently for me.

    So, I did some testing myself…because we can't both be correct about this, right? Or so I thought.

    In a TEST file I'd set up about 3 months ago I had previously set up some EWC and EWC+ spending accounts for downloading….no DC accounts or any connected investment accounts were ever in this file. (I can't remember which version I was running at that time but I am now running R57.16.)

    • I deselected the EWC+ accounts in OSU Settings so they would not be included in OSU.
    • Only 1 EWC account remained selected for OSU in OSU Settings.
    • OSU was initiated and I was prompted to enter the Vault PW before OSU would proceed and complete….just like it always has for me, supporting what I'd previously posted.

    Then I did what you did:

    • Created a new TEST file and set it up only for the one same EWC account.
    • Made sure it was added to the PW Vault.
    • Confirmed that this EWC account was selected for OSU.
    • Closed and then reopened Quicken.
    • Initiated OSU.
    • OSU proceeded without me needed to enter the Vault PW…..which confirms the results you got.

    So, it appears we are both correct but how can that be?

    I then set up one of the EWC+ accounts in this new TEST file, closed and reopened Quicken, initiated OSU and was not prompted to enter the Vault PW. So adding the EWC+ accounts had no impact on this.

    I'm a bit dumbfounded about why we are getting different results. Maybe there was an unannounced change made to Quicken in one of the more recent versions that was not included in the version I was running about 3 months ago? Do you have any insights/thoughts on this?

    Quicken Classic Premier (US) Subscription: R59.6 on Windows 11

  • Chris_QPW
    Chris_QPW Quicken Windows Subscription Member ✭✭✭✭

    I have a wild guess on this.

    For some time now I have seen people report that the get the One Step Update Settings screen even on the first time they use One Step Update and have been prompted for the Password Vault password.

    And those reports sort of started a big after Quicken went to where they stick their servers in the middle of all of this and notified everyone that your password is no longer stored in the Password Vault for Express Web Connect:

    https://www.quicken.com/support/why-dont-i-need-enter-my-bank-password-download-my-bank

    It is my guess that they have created a complicated system now depending on what account connection types you have and have selected, and such as what dialogs to bring up and such, that code has bugs in it. This isn't really a surprise to me. It is like the prompt for the Password Vault password just to go to the Mobile & Web page, and if you cancel out of that prompt it still goes there! When that was reported they wrote it off as "security".

    When I finally setup for only Express Web Connect + accounts and deleted my Password Vault one thing that struck me was that for the first update in the session I was presented with the same number of dialogs to get it to run.

    Old, prompt for Password Vault password. New, prompt for the One Step Update settings dialog. There isn't an actual One Click update possible even when they don't need any passwords.

    Signature:
    This is my website: http://www.quicknperlwiz.com/
  • Quicken Kristina
    Quicken Kristina Quicken Windows Subscription Moderator mod
    edited July 5

    Hello All,

    We forwarded this issue to the proper channels to be further investigated. If you haven't already done so, please navigate to Help > Report a problem and submit a problem report with log files attached and (if you are willing) a sanitized copy of your data file in order to contribute to the investigation.

    While you will not receive a response through this submission, these reports will help our teams in further investigating the issue. The more problem reports we receive, the better.

    We apologize for any inconvenience!

    Thank you.    

    (CTP-10353)

    Quicken Kristina

    Make sure to sign up for the email digest to see a round up of your top posts.

This discussion has been closed.