Get 50% OFF QuickBooks for 3 months*

Buy now
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Work smarter and get more done with advanced tools that save you time. Discover QuickBooks Online Advanced.

Reply to message

View discussion in a popup

Replying to:
CertifiedSecurityEngineer
Level 3

Reply to message

Requiring a password, by default, is good!  You should be encouraging customers to password protect their data.  But, you need to allow power users to disable this feature.  Some of your customers don't need/want Intuit to interfere in their security practices.

 

For example:

We store the QuickBooks data files on encrypted drives and require users to sign on [to the computer] with a smartcard and a strong password.  If a user is able to open the company file, they have already been authenticated and authorized.  We don't want or need another password.  It doesn't increase security, and it causes confusion with the users.  Please explain why you don't allow power users to bypass this requirement.

 

Furthermore, you don't allow customization of the QuickBooks password policy.  In our company, we require passwords to be at least 15 characters long with at least two character classes.  QuickBooks "strong" requirement is substantially weaker.  I attempted to set the QuickBooks password to "eivma5ld7wn2lf9" (this is a weak password that meets our requirements), but QuickBooks says the password is not complex.  An example it provides is "coMp1ex".  This causes security professionals to weep.  Why?  Using a brute force attack, I can hack "coMp1ex" in about 6 minutes.  My desired [weak] password would take 701 thousand years to hack.

 

You are not my mother, nor are you my boss, nor are you a regulating agency.  It is not your responsibility to dictate how I secure my data.  Listen to your customers, and add a way to disable the password requirement.  A simple warning, "Are you sure you want to disable passwords? Your data will be at risk!" would absolve you of responsibility.

Need to get in touch?

Contact us