Russian security software firm Elcomsoft announced on Friday that the company's researchers had cracked the master password that secures encrypted Quicken files and which allows the software's developer, Intuit, to retrieve lost passwords.

Calling the existence of a 512-bit encryption key a "backdoor," Elcomsoft said the master key could be used by the federal government to access taxpayer records. Starting with Quicken 2003, Intuit beefed up the encryption of Quicken's password protection. While the better protection made it infeasible for a cracker to brute force the password to a particular Quicken file, Intuit offers a service to recover the files for people who had lost their passwords.

"It is very unlikely that a casual hacker could have broken into Quicken's password protection regime," Vladamir Katalov, Elcomsoft's CEO, said in a statement sent to SecurityFocus.

Elcomsoft, which specializes in creating password recovery -- or cracking -- tools, has ruffled feathers in the past for its announcements of security issues in software defenses. In 2001, U.S. law enforcement arrested Dmitri Sklyarov, an Elcomsoft programmer, at the DEF CON hacking conference for circumventing the security measures protecting electronic book formats. A federal jury found the programmer innocent of the charges that he, and Elcomsoft, violated the Digital Millennium Copyright Act, a controversial U.S. law that prohibits the circumventing of security measures except in a few specific cases.

The Russian firm notified the Computer Emergency Response Team (CERT) Coordination Center of the latest issue. Intuit did not immediately respond to a request for comment.

(c) http://www.securityfocus.com/