I realize that in general, you should not store user credentials directly (i.e., in plain text); rather, it is best to store some encrypted form of them.

However, suppose I create a website that interacts with some other 3rd party site; and let’s say this 3rd party site offers an API that requires the user’s credentials (with that site) for authentication.

If my goal is to, say, provide a superior UI or introduce additional functionality on top of the services provided by this 3rd party, then it seems to me I need to actually store the user’s credentials somehow so that I can use the API—not the user’s password for my site (I can hash & salt that one), but for the external site.

Is there a “right” way to do this? My initial thinking is to store the credentials encrypted in some form such that they can be decrypted on the server for purposes of making API calls to the 3rd party service. This would mean that an attacker would need to understand how the encryption/decryption works in order to steal the user’s external passwords. However, that does not seem so far-fetched to me; a clever hacker who had already breached the server hosting my application would probably be able to get at the code and figure it out pretty easily.

So, that approach seems like better than nothing but not exactly great. Are there other strategies that people use? Is this entire concept (interacting with a 3rd party service requiring user credentials) ill-advised?

I have to believe there is at least some reasonably secure way of dealing with this situation since it seems relatively common among even some fairly high-profile websites (e.g., Mint.com).

Update: Just to clarify: I am aware that in an ideal world, the 3rd party service would implement some version of OAuth (or an equivalent) so that I would not have to store credentials. Unfortunately, the reality in this case is that the 3rd party service requires user name and password to be sent in every API request. So is the consensus that I’m hearing, then, that in this case most developers would just refuse to use the service (and most likely suggest to them that they implement OAuth)?