quicken's encryption

After years of using Quicken I was reading a book on Q 2011 and saw that
when Q backs up it apparently "encrypts" the backup file.

I usually keep my Q data files in a TruCrypt encrypted volume which I
know is secure so this made me wonder how good Quicken's own encryption
was. Does anyone know what encryption method Q uses and if it is easily
broken into?

Jeff

 

I've never had a need to look into this for Quicken, but I HAVE on one
occasion needed to break into QuickBooks for a client who had lost the
password and couldn't get into their own system. It was disturbingly
easy to locate a tool on the Internet to simply reset the QuickBooks
password (if I remember correctly...it's been a while and I don't recall
the details). There's probably such a tool out there for Quicken too,
which is one of the many reasons why I also use Truecrypt. So, if the
password can be easily reset, how well the file is encrypted may be a
moot point.

--
Chad Neeper
Senior Systems Engineer
Level 9 Networks

-- Full LAN/WAN consulting services --
-- Specialized in libraries and schools --

 

I don't think that is true ... as stated. Quicken's regular data file is
encrypted; I don't think there is any added encryption for Quicken
backups. I believe Quicken backups are exact copies of the fileset being
backed up.

Starting with Q2008 R2, Quicken data files have had 2048 bit encryption.

I'll leave it to the security gurus to tell you how safe that should make
you feel.

 

responding to
http://www.beansmart.com/quicken/quicken-s-encryption-36157-.htm
Jameslary wrote:

I think Quicken 2011's interface has been retooled so it behaves the way
you'd expect it to. There's a new cash-flow tracking feature that lets you
see how much cash will be in your accounts as Quicken forecasts the timing
of your income and expenses.

 

Huh?

 

Thanks. I was just curious. Will continue to depend on TrueCrypt.

 

'What the encryption algorithm is' is less important than 'how easy it is
to guess, find or reset the password'.

 

That "new" cash flow feature is not really "new" at all.

A few years back, that feature was in Quicken, but Intuit removed it.

It only took five or six years of customer complaints before Intuit put the
feature back.

 

If I had to bet, I guess the "encryption" is simply LZW compression.
Years ago even Microsoft found that files such as PowerPoint were too
slow to load and too big to store, so they they started using LZW
compression. Of course a password can be associated with the
compression and I suspect that is how they separate data files on a
per-year basis.

 

The fact that there are cracking tools has nothing to do with the security of the encryption. The cracking tools simply apply trial passwords until the file decrypts, and so rely on the fact that most people are lazy and use short passwords. The tools only "work" if the password is short enough for the tool to cycle up to it before the cracker loses patience. The better cracking tools will also try dictionary attacks and such, usually before trying a brute force attack. With a modern PC, a tool can sequence up through every 6-7 character combination during a brute force attack, and hence cover every possible password up to that length, in hours to a few days. This is why your passwords should all be at least 12 characters in length (longer is even better), and don't limit the password to just letters & numbers, so that brute force attack using a PC will take months or more.