Cloud v Desktop - The Book-keepers Forum (UK)

Elaine Rae · Veteran Member

Cloud v Desktop

abacus12345 · Guru

Hi,

My opinion is for Sage desktop, others appreciate what VT offers.

Sage is expensive, but it is great software. [personal opinion of course]

The idea behind monthly subscription is to [again personal opinion] help against the fight of piracy.

Cloud software has its place for small [micro] businesses, if a client is there or there about with their own bookkeeping, yet just needs someone to check over things for them.

Desktop is the way forward for those who have a larger small business and those who have no clue about keeping accounts.

Cloud software feels restrictive, it is slow - I'm guessing that is due to server load on their end. But again it does have its place, a place for the right client, with the right business.

To answer your final paragraph, Xero is expensive- yet it is popular, I've only really tried Sage One as when registering you don't need to go through loads of sales patter to get online - you register, then job done.

Sage One is slow so anyone with masses of invoices I'd try to put off. Sage One final accounts I do rate highly, it is [to me] superior to any other final accounts package I've tried.

Cloud software gets expensive when you need to do the accounts of someone who uses the accruals method, as an oppose to cash method of accounting. From memory, Sage One cashbook [start] is around £6 per month, the fully loaded version, after introductory period goes up to around £20 per month.

With those prices in mind the client would need to be doing the vast majority of the bookkeeping else you'd need to be charging over £800 for the simplest business [one who uses accruals] where using desktop you'd be inline with maybe £500.

Elaine Rae · Veteran Member

Thank you for your thoughts.

I too found the cloud slow and restrictive which is why I moved my client from on-line to desktop. This business generates a lot of paperwork and that's why I do not feel that we should be relying on the internet to do our work, and we need to work faster than the cloud really allows us; just couldn't work out if it was just me that didn't think the cloud was appropriate for larger small business, as there seems to be such a big push from the software companies to move to it.

The quote I've have from Intuit is over £900.00 per year (discounted the first year) for three users. I think it may be time to have a look round and thank you for giving me something to look at. I have used Sage before, and have found them to be more expensive that QuickBooks, but it may be worth having a look at them again.

Elaine

Lyndsey · Senior Member

I like VT, it does handle large amounts of work pretty easily and fast. CSV and spreadsheet data can be quickly imported etc and for only one fee for unlimited clients. The only constraint I can see is that it doesn't have a great amount of reports out of it, I normally transfer the data into spreadsheets and produce my own reports from there.

Thanks Lyndsey

Leger · Master Book-keeper

Another vote for VT+ Brilliant software and it will be MTD compliant. On present pricing you'd be looking at £125 plus £99 per extra user if on same site, so thats £325 a year, nearly a 1/3rd less than QB. (I'm assuming VT+ will become an annual charge once MTD is included.

Elaine Rae · Veteran Member

Yes VT does seem to be getting the thumbs up; I'll have to look at it.

Thank you guys.

Cheshire · Master Book-keeper

Not read the whole post (sorry, no time) but why do you need to upgrade the software when it's only a 2016 version? I have a version that's from 2000

Cheshire · Master Book-keeper

Oops! Wast finished. On my phone so can't edit.

....version from 2000 and it works perfectly. Slso have one from about 2014 and that's fine too. Don't buy into the rubbish they tell you about having to upgrade every year.

Edited to correct typos

-- Edited by Cheshire on Wednesday 15th of March 2017 02:20:13 PM

Elaine Rae · Veteran Member

Hi Joanne, my thoughts exactly.

However, QuickBooks have been crafty in incorporating the payroll into the accounts software, as that now forces customers who use the accounts software to process their payroll to up-grade the accounts software each year.

We went down this line, as my client was sold with the idea of having the accounts and payroll all in one place, even though I wasn't convinced, which is why we bought QuickBooks Pro 2016 with the payroll. Now we're coming to the end of the tax year we need to up-grade the software to 2017 so that the payroll will have the up-dates, however the software which we installed onto our computer last year now comes at a much higher cost this year and only on a monthly subscription basis.

I have today been informed by someone at QuickBooks that they may even eventually drop the desktop version, which I think is a shame really as I do like the software but do not believe that the on-line version is adequate for our needs, and is a more expensive way of keeping your accounts as you are tide into a monthly subscription again. The accounts software does not require up-dating ever year, I have been quite happily working on the same accounts software for years without up-dating it, only when I've found the need or the software has moved on significantly to warrant the change. I also worry about buying into software where the supplier insists on selling it on a subscription bases, as I feel that this could take away any incentive to improve the product !!

Anyway, if anything QuickBooks have now given me a better argument to move the payroll onto a software which I much prefer, as this would really be the most cost effective choice for the next 12 months.

But again after a conversation with QuickBooks today I feel that the push to cloud based software is very strong from suppliers such as QuickBooks, and I was actually told today that they didn't want me to be left behind as so many people are making the move over; but is this really the case ?? or are people just going along with the sales pitch ??

I have a 'Bee in her bonnet '

VinceH · Expert

"I was actually told today that they didn't want me to be left behind as so many people are making the move over"

I would have replied with an animal sound - perhaps a loud drawn out "Moooooooooo". The Quickbooks person would have wondered why I'd done that, and I would have explained that "I'm not a sheep". And I would probably also followed that by saying "I'm also not a mug" and/or asked if they thought I'd be celebrating my first birthday in 364 days time.

The problem, as you've rightly spotted, was the previous change. It's kind of put you between a rock and a hard place - you either have to do what they want and pay the price (which is the real motivation of moving everyone onto a subscription-based package in the first place), or migrate to something else - and that's fraught with unknowns.

I'm not offering anything useful at this point - sorry - I'm just in a bad mood because of this sort of nonsense. Bah humbug.

Actually, my one piece of advice is to migrate and to hell with Quickbooks.

I am reminded of an encounter with Quickbooks support about fifteen years ago. The version I was using on a client's computer crashed and I couldn't get back into it. This was towards the end of the day, and I needed to get their VAT return done - and my knowledge of Quickbooks was very limited; I'd only just started working for this company.

I rang their support line to sort it out. When I gave the (American) twat I spoke to the necessary details, he quickly commented that I wasn't using the most recent version, and thoroughly recommended upgrading. I asked "Will upgrading solve the problem I have *right now*, and allow me to get this VAT return done?"

After a pause, the answer was "No" (of course) and I was told how to resolve the problem (a file needed to be deleted - normally cleared when you quit, because of the crash it was still there and causing the software to think I was already logged in - similar to an old problem with Sage).

I got that VAT return done, and moved that company off of Quickbooks forthwith.

pictures · Senior Member

Talking of support lines has anyone else had a letter from Sage saying they are withdrawing Sagecover Support after next year and offering a whopping 80% discount to upgrade to Sagecover Extra (they don't say what the price will be just it seems to offer lots of things we don't need!

Elaine Rae · Veteran Member

I haven't Julie, not yet anyway as I do use Sage for a couple of clients.

I have just rang my contact at QuickBooks to ask a question that I asked this morning about the subscription based desktop software. This morning I was telling the QuickBooks on-line sales person that I did not want to move to QuickBooks on-line and for reasons that I felt were justified, and that I wasn't happy with them forcing us onto a subscription based charging system for the desktop version and that I was currently looking at our options, maybe to move to another supplier. I told her that my worry was that we don't own the software and I want to buy the software so that we can use this indefinitely. I was told that we do own the software and that we could cancel our subscription and still access our accounts. NOT TRUE apparently. My other contact, the sales person for desktop, said that we can cancel our subscription anytime, but our license to access the accounts would be de-activated and therefore if we needed to access the data after cancellation then the only way to do it is to start paying the subscriptions again.

Therefore we are not purchasing the software, it's not ours to own, we are hiring the license to use there software and there is a big difference.

So, if my understand is correct, if my client found that his business had grown and that QuickBooks could no longer provide the service needed, it needed a more bespoke accounts system, then we would have to continue paying Quickbooks so that we could access the accounts possibly for the following 12 months (maybe more as we need to keep the accounts for 5/6 years) AND pay the new supplier !!!! I can feel the gun at my head.

I shall be gripping onto my QuickBooks Pro 2016 for dear life and hope it never goes wrong, well until someone else sees the gap in the market and produces a good accounts software that I can BUY.

Cheshire · Master Book-keeper

Elaine Rae wrote:
Hi Joanne, my thoughts exactly.

However, QuickBooks have been crafty in incorporating the payroll into the accounts software, as that now forces customers who use the accounts software to process their payroll to up-grade the accounts software each year.

We went down this line, as my client was sold with the idea of having the accounts and payroll all in one place, even though I wasn't convinced, which is why we bought QuickBooks Pro 2016 with the payroll. Now we're coming to the end of the tax year we need to up-grade the software to 2017 so that the payroll will have the up-dates, however the software which we installed onto our computer last year now comes at a much higher cost this year and only on a monthly subscription basis.

I have today been informed by someone at QuickBooks that they may even eventually drop the desktop version, which I think is a shame really as I do like the software but do not believe that the on-line version is adequate for our needs, and is a more expensive way of keeping your accounts as you are tide into a monthly subscription again. The accounts software does not require up-dating ever year, I have been quite happily working on the same accounts software for years without up-dating it, only when I've found the need or the software has moved on significantly to warrant the change. I also worry about buying into software where the supplier insists on selling it on a subscription bases, as I feel that this could take away any incentive to improve the product !!

Anyway, if anything QuickBooks have now given me a better argument to move the payroll onto a software which I much prefer, as this would really be the most cost effective choice for the next 12 months. But again after a conversation with QuickBooks today I feel that the push to cloud based software is very strong from suppliers such as QuickBooks, and I was actually told today that they didn't want me to be left behind as so many people are making the move over; but is this really the case ?? or are people just going along with the sales pitch ??

I have a 'Bee in her bonnet '

Run the old existing quickbooks to do the accounts and run separate payroll software. Job done, no need to upgrade, tell your client to keep his cash in his pocket. Will hazard a guess he or she didn't have a clue what integrated payroll meant or achieved (if anything) anyway and if it's all your role to keep up to date then he wont really care too much.

im presuming that is an option.

surely this is a prime example of when clients shouldn't make software decisions

Princess · Senior Member

QuickBooks told me on the phone the other day that I can buy 2017 desktop Premier/Accountant version for £450ish, cant' remember exactly and that anyone working for me could also have access to my licence on their laptop. I even mentioned that it would be subcontractors and they were happy with that. It's actually cheaper to do that then for each of us to buy the software individually. I don't use it for Payroll, I use Moneysoft so don't need to upgrade that often. So I'm sticking with 2015 and 2016 for now and then eventually will have to do that. I agree the online version is slow and I like to have more than one window open at a time.

abacus12345 · Guru

I've never tried QB, how does it compare with Sage 50?

£450 sounds like a steal.

Princess · Senior Member

In my opinion it's much cheaper, easier and quicker to use but there will be lots of people on here that prefer Sage. Depends what you are used to I guess. The reporting is definitely much better than Sage. My clients like the fact that they can choose the categories in the P&L and reorganise it to be useful to them.

abacus12345 · Guru

I do like Sage, it's the price I'm not a fan of.

Are there are major technical differences to be aware of?

Thanks

Amanda · Expert

Johnny,

I prefer QB's to Sage, I use Sage at a couple of clients, and it is their copy. I have QB's Pro 2016, and Premier Accountants 2013, and Premier is the best one by far and I love it. Easy to use, I like everything about it!

I have been using it now for 9 years.

Edit - I also use QB's online as well.

-- Edited by Amanda on Sunday 19th of March 2017 04:36:47 PM

abacus12345 · Guru

Hi Amanda,

That's interesting, thank you.

Are you a pro advisor? I only ask to see if there is value in completing the course. I assume there is a proadvisor for the cloud version to now?

Thanks

VinceH · Expert

"Are there are major technical differences to be aware of?"

My biggest gripe with Quickbooks is that it has a clunky user interface for entering data - or at least it did with the last version I tried (the 2015 version IIRC). It adopts a one screen per transaction approach for basic data entry, which I find slows me down hugely. This is where Sage wins out for me every time (followed by VT - but I find I'm much quicker with Sage than VT).

abacus12345 · Guru

That could be a deal breaker then.

I'm contemplating the 30 day free trial, yet obviously this is the online version of the full software - can't win.

I've never seen software buffer like a video! I wouldn't mind but I've Virgin as a ISP!

Sat at my PC watching software 'load' thinking 'this just ain't right!'

You can't tell me they put up with this in the small business departments of KPMG, EY and PwC????

VinceH · Expert

Well the advantage of a 30 day free trial is that you can try it and see what it's like! That's much better than the opinion of someone who has used [a different version of] the product!

Edit: Wait, hang on - I've just realised what you've said: You're *trying* the desktop version, but the trial is online?

Why don't they just provide a download version with limitations that prevent it being craftily used?

[cynic] Of course, they could do it the way your post seems to suggest and cripple its speed to make their cloudy offering seem better. [/cynic]

-- Edited by VinceH on Sunday 19th of March 2017 08:14:52 PM

abacus12345 · Guru

That's a very valid view point.

I hear that Apple and Samsung purposely slow down older devices with updated software....

VinceH · Expert

Hmm...

I haven't switched my PS3 on in quite some time, but I have made a mental note that when I do I need to ensure it doesn't get an internet connection for a very similar reason. I read somewhere (fairly recently, but I'm not sure where now) that Sony have put out an update that is, shall we say, "sub-optimal" - the suggestion being that it was done deliberately in order to push sales of the PS4.

I might have bought a PS4 if it was fully backwards compatible so that I could play my existing PS1, PS2 and PS3 games on it - but it isn't (without paying again for what I've already bought*), so I don't want one. It's as simple as that.

* I have enough games, and play infrequently enough - so most I've not even played once yet - that they will easily last me until I pop my clogs.

Elaine Rae · Veteran Member

Cheshire wrote:
Elaine Rae wrote:
Hi Joanne, my thoughts exactly.

However, QuickBooks have been crafty in incorporating the payroll into the accounts software, as that now forces customers who use the accounts software to process their payroll to up-grade the accounts software each year.

We went down this line, as my client was sold with the idea of having the accounts and payroll all in one place, even though I wasn't convinced, which is why we bought QuickBooks Pro 2016 with the payroll. Now we're coming to the end of the tax year we need to up-grade the software to 2017 so that the payroll will have the up-dates, however the software which we installed onto our computer last year now comes at a much higher cost this year and only on a monthly subscription basis.

I have today been informed by someone at QuickBooks that they may even eventually drop the desktop version, which I think is a shame really as I do like the software but do not believe that the on-line version is adequate for our needs, and is a more expensive way of keeping your accounts as you are tide into a monthly subscription again. The accounts software does not require up-dating ever year, I have been quite happily working on the same accounts software for years without up-dating it, only when I've found the need or the software has moved on significantly to warrant the change. I also worry about buying into software where the supplier insists on selling it on a subscription bases, as I feel that this could take away any incentive to improve the product !!

Anyway, if anything QuickBooks have now given me a better argument to move the payroll onto a software which I much prefer, as this would really be the most cost effective choice for the next 12 months. But again after a conversation with QuickBooks today I feel that the push to cloud based software is very strong from suppliers such as QuickBooks, and I was actually told today that they didn't want me to be left behind as so many people are making the move over; but is this really the case ?? or are people just going along with the sales pitch ??

I have a 'Bee in her bonnet '

Run the old existing quickbooks to do the accounts and run separate payroll software. Job done, no need to upgrade, tell your client to keep his cash in his pocket. Will hazard a guess he or she didn't have a clue what integrated payroll meant or achieved (if anything) anyway and if it's all your role to keep up to date then he wont really care too much.
im presuming that is an option.
surely this is a prime example of when clients shouldn't make software decisions

It has been very interesting reading everyone's replies; and re-assuring that other people have had issues with the on-line version being slow and that the cloud isn't necessarily the best option for everyone.

I do have the option to run the existing QuickBooks for the accounts and I think this is the path I would prefer as I would like to move the payroll to 12Pay, and I don't see why my client should pay out all that money for not much in return; but at the end of the day the final decision will be the clients.

I will certainly be looking at other options for the accounts software, as the company is growing so eventually this desktop version may not suite all our needs anyway, so I really appreciate the comments and ideas given and would love to read more if anyone has anything further to add.

Thank you

Elaine

abacus12345 · Guru

I've been playing with QB, no year end, no option to make a credit note land anywhere other than against the initial invoice - for instance, a post I was reading, by Seb -

I couldn't find a way to issue a credit note against the supplier to land in HP/Finance lease etc.

In Sage, piece of cake.

Each new client you need to create a COA, yes, ordinarily you have to amend and adjust, out the box you have five nominals -

Unless I was doing something wrong, a VAT repayment shows in current liabilities???

I gave up after that. Bonus is you get a free cloud version for your own accounts.

JRA · Veteran Member

Interesting topic.

I am having the same debate with myself. Currently using Sage (cloud) however, not keen on the pricing structure and now wondering if time for me to move to VT and taxfiler?

Used VT years ago as was okay, maybe not as pro looking as Sage, however, relatively cheap, and available offline. I know lots of places have wifi these days, however, there is something nice (old fashioned) about being able to turn on and go.

Question is, do I but VT and tax Filer and keep Sage also....

abacus12345 · Guru

Hi Chris,

Could I please ask how much of your CIMA knowledge you use in your day to day with small businesses?

Do you offer any management or costing services?

Thanks mate

bk · Senior Member

I use VT and Taxfiler and find they meet my needs very well. Those clients who feel happy using software use VT, in fact I managed to get one client to move from Sage to VT. They say they prefer VT and definitely prefer the price

JRA · Veteran Member

Hello Johnny,

Thanks for you question.

I suppose it's hard to split what I do between 'practice' and CIMA.

I am happy to offer costing services where required. I also try to encourage my clients to look at forecasting which is a bit more CIMA I guess.

What do you mean by management? Mgt Accounts and general mgt?

abacus12345 · Guru

Hey, yes, CIMA is obviously powerful with the management side of accounting, do you use much of that, from the syllabus, or is it a case of mainly statutory reporting that clients are interested it? Thanks Chris.

Cheshire · Master Book-keeper

abacus12345 wrote:
or is it a case of mainly statutory reporting that clients are interested it? Thanks Chris.

Would this in part not be dependent on the size and nature of the business being looked after and also them (and you) having the flexibility to be able to change. Eg businesses may start off with a simple business model and not require much more than headline figure reporting but then new sector regulations are brought in which allow for expansion. Said expansion/new business model requires funding, of some sort, at which point the provision of management accounts becomes a monthly requirement/condition of said funding. Business too small to have their own FD but use the services of an Accountant (be it AAT, CIMA, ACCA or bookkeepers with the knowledge) who then is required to assist.

abacus12345 · Guru

Yes I see where you are coming from.

Much depends on the business and what the vision is for said business.

This sort of links in with my value added thread too. Some interesting options available.

I can see how you'd make a small fortune in a business consultancy / management accountancy capacity. Aside from actually designing and calculating said accounts you'd need to actually spend time within the business seeing how it actually works and how improvements could well be made.

Interesting stuff!

VinceH · Expert

Just found this infographic type thing on Sage's website: http://www.sage.co.uk/software-and-services/cloud-accounting-software/staying-safe-in-the-cloud

I've extracted a particularly good bit:

Personally, I consider accounts data to be ultra-sensitive. Just saying.

Also, if you look further down where it says "How long does it take a pro hacker to break a password?" I'd like to see their evidence supporting the claim that 'passworD' is so much better than 'password' (one month three weeks to crack instead of a fraction of a millisecond - is the hacker using a ZX Spectrum, FFS?) - it is not mixed case (or special characters) that matter these days, it's LENGTH.

Leger · Master Book-keeper

inceH wrote:
Also, if you look further down where it says "How long does it take a pro hacker to break a password?" I'd like to see their evidence supporting the claim that 'passworD' is so much better than 'password' (one month three weeks to crack instead of a fraction of a millisecond - is the hacker using a ZX Spectrum, FFS?) - it is not mixed case (or special characters) that matter these days, it's LENGTH.

I've been told incorrect is the best password to use, as if you get it wrong it will say "Your password is incorrect" biggrin biggrin

I remember reading some months ago that using a made up phrase is far better than using a mixture of characters and words. I must admit that my passwords are usually 8-10 numbers/letters including some uppercase ones. I think I need to switch to a phrase.

VinceH · Expert

There's a well known XKCD strip about password strength which offers good advice on password length - but IMO it is flawed slightly. The first part of that flaw is where it talks of remembering the password, suggesting that by the time you've reached the end of the strip you'll have remembered the long password made of four random words. It was a few years, IIRC, before it was committed to my memory.

The second part is also the notion of needing to remember it - you shouldn't, and the idea that you should suggests not many passwords to remember, or password re-use, which is A Very Bad Thing^tm. Make every password unique and use something like KeePass (which I thoroughly recommend) to store them.

However, that aside, let's compare what Randall Munroe (XKCD's author, and ex NASA programmer - so he knows his stuff) says with what Sage says in that infographic.

According to that XKCD strip, 'Tr0b4dor&3' would take about three days at 1000 guesses per second (which is probably quite slow by today's standards).

The closest equivalent amount of time according to Sage is the shorter 'pa55word', at two days twenty one hours. In their defence, they don't specify the range of characters that could be allowed - so if we ASSUME it's the same, then it must have less entropy because it's shorter (a password's entropy is the number of possible characters allowed, raised to the power of its length). I can't be bothered to even attempt to work it out, but given that XKCD just tells us three days, and we don't know the amount of rounding, then two days twenty one hours might be plausible for a slightly shorter password with the same range.

However, the next example they give is 'passworD' with an estimated crack time of one month three weeks.

What?

It's the same length, lacks numbers, and has mixed case - one upper case letter. Yet it somehow takes that much longer to crack - so must have more entropy? How?

The answer is that the assumption above was wrong - the entropy in this one must be more because there is a greater range of characters allowed. So what's that range? A corrected assumption based on what we can see is: 'pa55word' is all lower case + numeric digits, so perhaps that's what's allowed: A range of 36 characters. Meanwhile, 'passworD' is lower and upper case, so perhaps that's what's allowed: A range of 52 characters.

In both cases, 'Tr0ub4dor&3' is longer - and clearly involves a greater range. Its entropy must therefore be greater (still can't be bothered to try to work it out) - so now the two days twenty one hours of 'pa55word' looks optimistic, and the one month three weeks of 'passworD' looks ludicrous.

Now look at their best suggestion: 'Mypa55worD!'

Here we have: 11 characters - the same length as Tr0ub4dor&3 - and not just numbers and letters, but there's an exclamation mark in there as well. Let's be kind again, then, and assume the suggestion is that the same range is allowed. Same length, same range = same entropy.

So according to the ex NASA programmer, that would take about three days to crack - but according to Sage, it would take over eleven million years - which it is worth noting, as well, is considerably longer than the ex NASA programmer suggests the four word password would take.

I know which I'd believe.

Hint: It's not the company that writes software in which I've found lots of bugs over the years!

(I did consider if Sage may be miscalculating the entropy by working it out based on the range of characters used, rather than allowed - but that would reduce it, and therefore their strangely high times become even more questionable. Like I said, though, if they're assuming the hypothetical hacker is using a ZX Spectrum, that's another matter...)

-- Edited by VinceH on Thursday 4th of May 2017 11:41:28 PM

Leger · Master Book-keeper

I'm no doubt being naive, but like say on this site, is it possible to enter passwords at 1000 guesses a second? I would hazard a guess that you could only do one or two a second.

Some sites will only let you have 5 guesses before blocking you, whether that's a temporary block of 10 minutes, or a requirement to contact the site owner to manually unblock it.

I'll have a look at keepass, I've tended to avoid these kind of things because (no doubt naively) I think, well you've got to put your password in to begin with, is that a weak spot. That said its a one of event, and they would pick it up anyway if you entered it every time.

VinceH · Expert

When we talk about password cracking, we aren't talking about the Hollywood thing where someone tries to brute force a password entry screen by having something fire all possible password combinations at it until the right one is discovered (which is even more laughable when, somehow, there is feedback that says the 'nth' character has been cracked).

This is more about what happens when someone has found a weak point in the website itself, and has been able to pilfer a copy of the user database - so they have a list, in effect, of all the details we give as users - including our email addresses, our log-in names, and our passwords. Those passwords should be salted and one-way hashed, so they aren't in plain text.

Oversimplifying quite a bit:

A hashing function such as SHA-1 will take any given input and return a hex string that represents it - consistently; the same input into the same hashing function will always produce the same result. Importantly, cryptographic hashing is one way only: the hash can't be reversed, so there is no way to take a hash value and compute the password that resulted in it.

However, with the speed of computers today, throwing large sequences of character combinations at a hashing function is possible. This is where the 1000 tries per second thing comes in. Say you're a black hat, and you have a user database - you have a program sequence through character combinations, hashing them, and comparing the resulting hashes with the hashes in the database.

Once your program reaches 'password' and finds the SHA-1 hash is '5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8' which is in the database, for user EasyPrey who's email address is easyprey@example.com, you now have that user's log-in details - and quite possibly his log-in details for other sites, with password re-use a common thing.

That cracking can be sped up a little bit through the use of something called rainbow tables: If you're cracking the password databases by hashing all possible combinations, your overhead for each attempt is that for each each one you must hash the combo, then compare the result with each hashed password in the database. A rainbow table is a table of possible passwords (starting with more commonly used ones first) and their hashes. So before going the brute force combo hashing route, you compare these hashes with the hashes in the database. Find a match and you have the password.

This is where salting comes into it. Salting means adding a fixed string or value to the password as submitted by the user, before it is hashed - it therefore adds a modicum of extra difficulty to the password cracking process; unless the salt is something silly like 'word' and a user can have 'pass' as his password, salting effectively renders rainbow tables useless, which means it has to be the brute force approach of hashing all possible combinations until the right one is found.

And the longer the password, and greater range of characters allowed, the more entropy there is and the longer that approach takes.

Also, an important thing to take from this is: Passwords stored on servers should be one way hashed - not reversible. Whenever you log-in, whatever you enter as your password should have the salt added, and the result of that hashed using the same hashing function as when the password was originally stored. If the stored hash matches the one computed from what you've entered, you've entered the right password.

That means that the site should never be able to tell YOU what your password is in the event it's lost - because the hash is not reversible. If a site is able to tell you what your lost password is, it must be storing them in plaintext or encrypted in a way that is reversible. Not good.

KeePass does indeed require a password. The database is encrypted, and it's local - stored on your computer, not some remote server. You enter your password when loading the database, and then (until it is quit/closed) it remains accessible. You can configure it to close automatically if you don't have a password entry open. It can also generate strong (i.e. long) passwords.

abacus12345 · Guru

Vince, I'm astounded by your knowledge - it is insane. I know people who know IT and they make a fortune too. But your knowledge is cyborg like - crazy! Very impressive. You're the guy Steve Jobs needed on Lisa.

-- Edited by abacus12345 on Friday 5th of May 2017 01:40:43 PM

Leger · Master Book-keeper

Ah, I see. Many thanks for the detailed explanation. I used to use cubecart some years ago, and in the earlier version the admin password was unencrypted, so I was able to retrieve it from the SQL database. When I tried to do the same thing on a later version, it was just a string of numbers and letters.

Cheshire · Master Book-keeper

abacus12345 wrote:
Vince, I'm astounded by your knowledge - it is insane. I know people who know IT and they make a fortune too. But your knowledge is cyborg like - crazy! Very impressive. You're the guy Steve Jobs needed on Lisa.

-- Edited by abacus12345 on Friday 5th of May 2017 01:40:43 PM

Like! biggrin

Leger · Master Book-keeper

Cheshire wrote:
abacus12345 wrote:
Vince, I'm astounded by your knowledge - it is insane. I know people who know IT and they make a fortune too. But your knowledge is cyborg like - crazy! Very impressive. You're the guy Steve Jobs needed on Lisa.
Like!

Thirded.

VinceH · Expert

Not really - anyone who knows anything about anything in IT should know this stuff.

(I wish I *was* making a fortune out of it, though!)

John: Ref Cubecart and your ability to get the admin password out of it at one point, and subsequently not - that's not uncommon. Chances are it was originally put together in an earlier, more naive age of internet usage, and as lessons were learnt better security was bolted on.

Edit: Originally ended that last paragraph with a Yoda impersonation... "better was security bolted on."

-- Edited by VinceH on Sunday 7th of May 2017 02:47:23 PM

VinceH · Expert

I've just spent half the day posting a frighteningly small number of transactions to Xero - first time I've used it (client has moved to it from another system) so I'm still largely in exploratory mode.

First impressions after an hour or so: Rubbish.

Second impression after half a day: The rubbish even rubbish considers rubbish.

Edit: Misplaced 'it'

-- Edited by VinceH on Sunday 7th of May 2017 07:10:52 PM

Leger · Master Book-keeper

VinceH wrote:
I've just spent half the day posting a frighteningly small number of transactions to Xero - first time I've used it (client has moved to it from another system) so I'm still largely in exploratory mode.

First impressions after an hour or so: Rubbish.

Second impression after half a day: The rubbish even rubbish considers rubbish.

I can understand a client moving to the cloud if they are inputting the data, but if you're doing it then surely that information isn't getting to them much quicker. Whats the benefit to your client by switching software?

I don't know the first thing about xero but does it not let you do batch input or import via csv?

VinceH · Expert

Sorry... I may have phrased that slightly poorly.

The main reason for so few transactions is because I was largely in exploratory mode, so I spent more time looking around the system (and for specific things) than inputting - in part because how I input would be affected by what I found. And what I found left me underwhelmed and unimpressed.

Xero is one of the big names (THE big name?) in cloudy accounts and my impression after my initial usage yesterday is that it's not a patch on a proper desktop package.

The client hasn't moved from desktop to cloud, they've moved from one cloudy package to another. They were already using cloudy accounts (and input some transactions themselves) before they came to me a couple of years back.

Leger · Master Book-keeper

Ah, sorry, I thought client had swallowed the cloud mantra but was wanting you to do the inputting.

Did you find Xero worse than the previous cloudy package?

VinceH · Expert

It's too early to say properly, but my first impression is that it's better in some ways, not so good in others.

The way it handles supplier payments on account, for example, is fundamentally broken IMO - and this is why I spent so long investigating how it works yesterday¹, rather than actually doing any real work.

On the flip side, using the bank feed as part of the bank reconciliation is useful - though I found myself still referring to the paper statements.

The ability to import a CSV file has been mentioned before in one of these discussions. I've not specifically looked for the feature (I don't think it would be all that useful for this particular client), but it didn't jump out at me while looking around².

This morning I came up with an idea that would bend Xero's daft approach to something more akin to what I want, so I set up a trial account to test the idea out (and investigate its brokenness further). My solution appears at first glance to work, so that's something - but I'm not impressed that I had to do something like this.
While I'm in the trial account, I've looked around and the CSV import isn't jumping out at me. There's a file upload button, but that just leads to a generic file upload dialogue - no specific 'import' facility with instructions on the fields needed etc. I suspect it's done through that generic dialogue with some steps afterwards, so I'd need to seek out instructions first. But if I have to do that, it's not intuitive.

abacus12345 · Guru

I had similar experiences with QB online. Not impressed especially as how others seem to find it a breeze. In my defence I can get Sage to do exactly what I want it to do. Not meaning to sound like a Sage Fanboy, but..

VinceH · Expert

TBH, I can only assume that people who seem to find these noddy cloud packages a breeze are either:

Only have clients with very simple requirements, which are easy to deal with,
Possibly cutting corners and not doing things entirely correctly - working to the software's weaknesses
Or simply deluding themselves.

2 and 3 are not necessarily be mutually exclusive.

I note that according to the logo in the corner, Xero describes itself as "Beautiful accounting software":

I've long had an opinion on products that are marketed as 'beautiful' and I put that opinion into three tweets earlier today:

Unless you are in the beauty/related industries, if you describe your products as "beautiful" I think you're putting form over function.
And thus far, I think for very close to (if not) 100% of such products I've ever used, that opinion has proven correct.
Note: I don't use beauty products (which could be why I'm so ugly), so for all I know the same could hold true there for some things.

Okay, the third one is a bit of an amusing aside - but in the tech industry (including software) the first two certainly seem to hold true. It definitely does for Xero.