
Ask HN: Does mint.com store banking passwords in plaintext? - aerovistae
I just tried signing up for Mint.com and was astonished when it asked for my banking password; I thought for sure they had some sort of better arrangement than that. If Mint is signing into my bank account directly, rather than using some sort of secure API to access it, then that must mean they&#x27;re storing bank account passwords in plaintext, does it not?<p>I am certain I must be wrong, as this would be preposterous, but I would really like to hear if anyone knows how this actually works before I give them that sort of information.
======
Kortaggio
Mint's 2010 VP of Engineering answers this question on Quora:
[http://www.quora.com/How-do-mint-com-and-similar-websites-
av...](http://www.quora.com/How-do-mint-com-and-similar-websites-avoid-
storing-passwords-in-plain-text/answer/David-K-Michaels?share=1)

Apparently, it's stored encrypted but will be decrypted on-the-fly when Mint
needs to refresh your banking data.

Edit: Here's the patent he referred to that handles the decryption:
[http://patft.uspto.gov/netacgi/nph-
Parser?Sect2=PTO1&Sect2=H...](http://patft.uspto.gov/netacgi/nph-
Parser?Sect2=PTO1&Sect2=HITOFF&p=1&u=/netahtml/PTO/search-
bool.html&r=1&f=G&l=50&d=PALL&RefSrch=yes&Query=PN/8566952)

~~~
aerovistae
That's perfect, thanks. Answers question precisely.

------
pjungwir
I don't know about Mint, but a lot of companies use Yodlee, which provides an
API so that if a user gives you their banking credentials, you can pass those
to Yodlee and access their bank account. I think Yodlee is basically a giant
screen-scraping project that uses the credentials to log in via the bank's
HTML login form and get account details. I think it's a pretty expensive API
to use. This whole thing seems crazy to me. I can't imagine entrusting another
company with my banking password! And as the Mint Quora answer says, this
system basically requires them to store your bank password with reversible
encryption.

~~~
bitshepherd
Fun fact about Yodlee: if you link a bank account to a PayPal account, by the
very act of doing so, you grant Yodlee and PayPal power of attorney

Makes ya think about the fine print with sites that deal with bank account
details.

------
kohanz
Regardless of how Mint.com secures the passwords, simply supplying the
password to a 3rd-party such as Mint likely violates the TOS for your bank.
Whether this would become an issue should your account become compromised (via
Mint or something completely unrelated) is impossible to say, but it's enough
to have made me stay away from Mint.

------
AznHisoka
The guys who sold Mint.com probably felt a huge load/mess taken off their
backs. The engineering needed to support their entire operations probably
required a ton of maintenance.

Also, I chose not to use Mint because a lot of banks LOCK you out when they
detect a login from an IP that isn't usually yours.

------
saluki
I'm amazed banks don't provide a read only login to use with services like
Mint. I never understood providing your banking full access username/password
to any service.

------
sfunk1x
Pretty safe to assume that nobody you give credentials or personal data to
stores any of it in a strongly encrypted fashion.

