Storing login credentials within 3rd party apps can introduce significant security risks. I recently tested an application to determine its usefulness and fitness for purpose. As with several other applications experimented with over the years, this one included the option to integrate directly with other systems; in this case, one of the social media platforms. In the settings, a configuration option was available to add the user name and password so that the application could connect to access data directly. A couple of examples include:
- Banking applications which allow connections to several bank accounts where data is collected from multiple sources to create a financial dashboard
- Apps that connect to file storage systems, such as to catalogue songs and create playlists
These tools offer useful functionality, but there are security implications with this concept. Firstly, let’s not confuse this with single-sign-on (SSO) capability. Many websites and applications integrate with Facebook and Google for login purposes, but when signing in with Facebook or Google, the apps don’t have direct access to the login credentials. The quantity of data shared through this process has been controversial and has drawn vast media attention. However, the focus here is on cases where applications ask for login credentials to be entered and stored for subsequent use, and where the application has direct access to the credentials. Essentially, this is permitting the application to access other systems and by extension, consequently, potentially giving human access to those systems.
How do you know what these applications are going to do with your login credentials? The logon credentials could be stored securely, but could just as easily find themselves held in plain text in a database with little or no security. Applications can easily be custom made to offer something useful to the target audience, with the hidden agenda of capturing user credentials given willingly by their users.
Banking organisations and social media platforms invent significant resources to improve security. It doesn’t make sense to use them with apps that may have been developed by a small business or one person with minimal resources and information security capability.
Here are some options to reduce the risks:
- Don’t give 3rd party user credentials to apps, websites or other services
- Exercise vendor and application due diligence before adding 3rd party user credentials
- If 3rd party application integration is essential, consider creating a dedicated account to use. Depending on the purpose, this may or may not be a viable option.
It is best practice never to share your username and password with anyone. Sharing your usernames and passwords with 3rd party applications can have the same or worse consequences.
Robert is an information security consultant with over 20 years of experience across a diverse range of organisations, both in the UK and internationally. Robert graduated in 1997 with an honours degree in software engineering for security and safety-critical systems. Robert is contactable directly through LinkedIn.