Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Not a Plaid user, but I believe Mint works the same way. It seems to only decrypt my bank credentials with a key derived from my session password, so I suspect Plaid, if what you say is correct, do something similar.

Basically, my password is hashed to see if I can log on. Then it's passed through a PBKDF to get the decryption key for my actual accounts, then that information gets sent to the scrapers to do the actual job. They don't store the keys after the job is done. The upshot is that a full database breach doesn't result in any bank credentials leaking, at the cost of inability to update accounts without the user explicitly logging in.



Mint will update transactions in the background (not only when you log in).

In order to do so, they most likely keep your banking password around in memory.

Note: Mint uses OAuth for access to Chase bank accounts, which is great. Last I checked Plaid does not.


So if the hashing is done correctly, if you lose your password, they are going to be happen to sign in anymore?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: