5

Quicken has a password-protection option where you type in a password and your file is encrypted. How good is this encryption and how does it depend on the length or complexity of my password?

A google search reveals a lot of "quicken password recovery" programs, like this one, which make me feel like the password is just for keeping the really dumb criminals away, not the ones with large computers.

jmvidal
  • 335
  • 2
  • 4
  • 12

2 Answers2

6

I wouldn't rate it as very secure, simply because I don't know how it's being encrypted.

Better bet would be to create a TrueCrypt volume and store your Quicken file in there.

Josh K
  • 12,747
  • 7
  • 41
  • 58
  • 3
    @Idigas: TrueCrypt is an open-source product using known public algorithms and approved by many crypto hackers, including Schneier, the chuck norris of cryptography. – u1686_grawity May 14 '10 at 20:34
  • +1 True Crypt!!! Easy to use, and Cross platform – Urda May 14 '10 at 21:15
  • Yes, I am doing something similar: re-encrypting the file myself. But, I am still wondering how good quicken is by itself and if anyone has looked at this. It is so popular that someone must have examined it, right?!? – jmvidal May 14 '10 at 22:03
  • @Idigas: What sparkly letters? It's a fully open source project using open source algorithms tested by virtually everyone in the Crypto scene. It is **the* cross platform encryption program. – Josh K May 15 '10 at 05:51
  • 1
    @jmvidal: Not necessarily. I don't trust Microsoft Word document locking either, specifically because **no one has looked and seen how it's working**. Encryption is a special process that must be done right to avoid any security issues. – Josh K May 15 '10 at 17:53
  • @Josh K - I know it's open source. However, that doesn't mean someone actually invested days/months of it's time to test it throughly. Have you ever trieed reading your own code after a few months. How about somebody elses ? I cannot find it now (figures...), but I recently stumbled upon a very nice article about how much open source code is really tested by ... uhmm, "open sourcers" ... result: not that much. If it's working, most just leave it alone. – Rook May 16 '10 at 23:23
  • @Idigas: Encryption is taken **very** seriously be professionals and hobbyists alike. I wouldn't say it's out of the possible realm that **many industry qualified professionals** along with a great deal of hobbyists have taken a *very* deep look at the source. Have you ever heard of someone cracking a TrueCrypt volume? – Josh K May 17 '10 at 00:16
3

SANS did a study and rated it very low. http://www.sans.org/reading_room/whitepapers/casestudies/personal-financial-information-safe-practical-lessons-quicken-password-vulnerabilities_704

Blackbeagle
  • 6,634
  • 20
  • 25
  • That's a great report! (bad for Quicken, apparently they suck). But, they are analyzing Quicken 2000. Is there a similar report for Quicken >= 2008? – jmvidal May 14 '10 at 21:52
  • Search the Quicken site for a link to a tool to have you send your data file to them to remove the password. Fundamentally, any time someone can remove your password, it is inherently breakable by design. Sorry, I tried to imbed the link, but it keeps breaking. – Blackbeagle Aug 10 '12 at 19:32