[OWASP-Security101] Fwd: 3rd Party Credentials

Thomas Brigham tkbrigham at gmail.com
Wed Jul 12 23:47:00 UTC 2017


All,

I am interested in making an application that uses/aggregates 3rd party
data. These 3rd party sites do not have open/available APIs that I can use
to log in. As such, I imagine that I will have to be able to provide
plaintext username and password combinations to these sites.

Sites like Personal Capital <https://www.personalcapital.com/> seem to be
able to do this with a high degree of confidence that the passwords are
transmitted and stored in non-plaintext format.

How is this possible? What's the best way to approach this problem?

I've also read these articles, which were all cited by the same person (and
I believe that same person authored them):
- Storing clear text PW
<https://security.stackexchange.com/questions/17739/what-is-the-best-way-to-securely-keep-clear-passwords/17785#17785>
- Logging into 3rd party service
<https://security.stackexchange.com/questions/15174/how-can-i-create-a-service-that-automatically-logs-onto-a-third-party-service-wi/15195#15195>
- Storing PW that needs to be recovered as plaintext
<https://security.stackexchange.com/questions/24128/how-should-you-store-a-password-that-needs-to-be-retrieved-as-plaintext/24146#24146>

Do these have the right idea? Are there any further steps that should be
taken?

Thanks,
Thomas Brigham
571-435-5250 <(571)%20435-5250>


More information about the Security101 mailing list