[OWASP-Security101] Fwd: 3rd Party Credentials

Xander Sherry xander.sherry at gmail.com
Thu Jul 13 18:37:42 UTC 2017

Those answers are all written by the same person.  D.W is David Wager (
https://en.wikipedia.org/wiki/David_A._Wagner) and he does indeed know what
he's talking about.   The approach he suggests is a good one.  The only
thing I'd add is that although he mentions it, I think he under-emphasized
the role of an HSM for protecting the keys that protect the credentials in
this scenario.   If the credentials are valuable at all, I would suggest
that this is absolutely essential.

Best regards,

-Xander Sherry

On Wed, Jul 12, 2017 at 7:47 PM, Thomas Brigham <tkbrigham at gmail.com> wrote:

> All,
> I am interested in making an application that uses/aggregates 3rd party
> data. These 3rd party sites do not have open/available APIs that I can use
> to log in. As such, I imagine that I will have to be able to provide
> plaintext username and password combinations to these sites.
> Sites like Personal Capital <https://www.personalcapital.com/> seem to be
> able to do this with a high degree of confidence that the passwords are
> transmitted and stored in non-plaintext format.
> How is this possible? What's the best way to approach this problem?
> I've also read these articles, which were all cited by the same person (and
> I believe that same person authored them):
> - Storing clear text PW
> <https://security.stackexchange.com/questions/
> 17739/what-is-the-best-way-to-securely-keep-clear-passwords/17785#17785>
> - Logging into 3rd party service
> <https://security.stackexchange.com/questions/15174/how-can-i-create-a-
> service-that-automatically-logs-onto-a-third-party-service-wi/15195#15195>
> - Storing PW that needs to be recovered as plaintext
> <https://security.stackexchange.com/questions/
> 24128/how-should-you-store-a-password-that-needs-to-be-
> retrieved-as-plaintext/24146#24146>
> Do these have the right idea? Are there any further steps that should be
> taken?
> Thanks,
> Thomas Brigham
> 571-435-5250 <(571)%20435-5250>
> _______________________________________________
> Security101 mailing list
> Security101 at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/security101
> List Run By OWASP

More information about the Security101 mailing list