[samtho]

This is my reaction every time I see a service like this. In addition to training users that is somehow okay to just give up your credentials to a 3rd party, you are now indefinitely allowing the storage of passwords in a fully reversible format on a platform you have no control over.

Despite all the best efforts by any company engaging in this practice to protect your passwords, these entities are setting themselves up to have a huge target on their back. The technology they employ relies on being able to decrypt passwords programmatically which means it becomes visible on the server’s RAM and could potentially be triggered to decrypt the password as part of an attack. Given that a majority of people use the same passwords for multiple services, it is likely an attacker would be able to determine credentials for someone’s bank or email account via a credential stuffing attack.

Plaid with a bank that does not support oauth scares the hell out of me and I have backed out of using services because this was the only way to enter bank details. I am still shocked that this is largely considered an okay practice.