I'm building a web application that shows users interesting visualizations of their Gmail activity (who they're emailing the most, etc). Obviously the user needs to give me his Gmail password to use the application, and I'm wondering how I should store it:
- Store the Gmail password in plaintext. Risky!
- Don't store the Gmail password at all; force the user to enter it every time he wants to sync data. Potentially inconvenient!
- Encrypt the Gmail password before storing it. The user's password to my application is the key.
Something like (3) seems best, but with (3) I can only sync data when the user logs in (since I won't know his password to my application at any other time), which isn't ideal. I'd prefer a Mint.com-like solution whereby the user can click a button to sync data from Gmail at any time without re-entering his password (any idea how Mint accomplishes this without storing your banking passwords?)