Intuit Quicken is one of the oldest tools of its kind. Over the years, Quicken had become the de facto standard for accounting, tax reporting and personal finance management in North America.

Finances is an extremely sensitive area that demands adequate protection of the user data. However, prior to 2003, Quicken employed a weak protection scheme that allowed the intruder to break in instantly even if the password was set. Since Quicken 2003, the tool gained the ability to encrypt data. From now on, the password must be brute-forced in order to gain access to the encrypted data.

In 2007, we discovered a backdoor in Quicken software. While using secure encryption to protect the data, Intuit decided to include a backdoor in its products. This backdoor allowed Intuit offering a data recovery service of a kind, unlocking Quicken files if the customer lost their password. To deliver this service, Intuit hardcoded the 512-bit RSA public key into its products, which was used to protect a copy of the symmetric encryption key (which, in turn, was used to encrypt and decrypt the customer’s data). The idea was that the decryption could be only performed by Intuit itself, since the private key was only known to the company. We’ve managed to uncover the backdoor, extract the public key and successfully refactor the matching 512-bit RSA private key. During that period of time, we could instantly remove protection from encrypted Quicken documents saved by Quicken 2003 through 2007, regardless the password length and complexity.

Intuit was quick to patch this. While they still have a backdoor in their products, they bumped the length of the RSA key beyond our ability to refactor. Yet even today, any files created in Intuit 2003 through 2007 can still be opened instantly.

How is Quicken doing today, security wise? The brute force speed of this year’s Quicken 2020 suite is on the level of 35,000 password iteration per second. This, using a dated 4-core Intel i9 CPU even without GPU acceleration. A previous-generation NVIDIA GeForce GTX 1080 results in about 1.2 million passwords per second, while today’s NVIDIA GeForce RTX 2070 brings the recovery speed to a much higher number of passwords per second. If you’re up to using the specialized Tesla P100 GPU, you’ll be looking at around 2.7 million passwords per second.

Is that a lot or a little? In fact, the recovery speed in the low millions p/s is considered extremely high by today’s standards. As a comparison, you can only try about 8,700 passwords per second when breaking Microsoft Office 2016-2019 documents using the same GeForce GTX 1080 board, so Quicken has about 138 times weaker encryption strength compared to Microsoft Office.

What do these number mean in real life? The millions passwords per second enable recovering reasonably complex passwords with plain brute force, even without resorting to smarter attacks. The use of dictionary attacks and mutations allows finding even the more complex passwords in reasonable time. If the password was not discovered, we recommend using Elcomsoft Distributed Password Recovery for even faster attacks.

Intuit QuickBooks is another popular tool, this time targeted to corporate accounting with collaboration features and multiple user account support. The database can be protected with a master password.

However, despite the use of a password, there is no encryption. The access passwords are stored as simple hash values in the database. Importantly, these hash values are not dependent on the master password in any way. Consequently, using AINPR to simply alter the master password or any of the user passwords to a pre-defined value exposes access to the whole database. This is a classic “no protection” scheme. Nothing has changed in QuickBooks 2021; one can still break in to the database instantly.