Security in Microsoft Money

Microsoft never publically state how Microsoft Money files are secured. However, they are immediately protected if you use some form of password or Microsoft Passport. One thing they do say is that they won't help you remember your password (Article 167), but that doesn't mean there isn't a way for them to retrieve it. There are mechanisms for retrieving Microsoft Passport credentials.

Communications between Microsoft Money and 2-way banks (Article 235) are protected by 128 bit security using an encrypted technology called Secure Sockets Layer (SSL). However, if you are manually downloading transactions from a bank using 1-way OFX, then at the point of download, this is an unprotected operation. Some banks will warn you that security from the point of download is your own responsibility.

Data that you exchange with the MSN Money servers, through the account aggregation servers (Yodlee, CashEdge - US users only) or other services is protected to a degree that even Microsoft staff can't get access to the data without a tortuous legal route. The details of these are not given except to say that the MSN Money data center is 'controlled'.

Exchanged data could be account names, transactions, payees etc. These are required for the essential modes of the program to work. For non-Passport users, this transfer cannot happen.

Your Money file is as secure as you make it. It can be secure even if you don't have a password, if the machine is.

Don't forget that if you are looking for additional ways to keep your data secure, you should remember the security of your backup files on disk or removable devices.

How to protect a file more

There are many ways, but it's not my area of expertise. Some ideas are:
  • File based security - such as the Encrypting File System (if you have Windows XP Professional or some versions of Vista).
  • Using a strong password on the file
  • Using an encrypted storage medium
  • Specific permission settings on the file

Known security incidents

A vulnerability in the way passwords were stored in both Money 2001 and Money 2000 was identified. This was made available as an automatically downloadable update (using smartconnect) within the program, and was fixed around August 16th, 2000, and distributed shortly afterwards.

In addition there was the file 'lockout' incident (see the July 2004 Russ' responses), although that was not a security breach, more like an incident which stopped your access completely!

Other articles

Pocket PC Home Page security - Article 134
Why MSN Servers are needed with Yodlee - Russ' Reponse, 25th July 2005

Category: RelatedSoftware

Keywords: Yodlee, Vista, Passport, Password, SSL, Security, CashEdge