Best practice for 3rd party credential storage

I’d love to have a conversation about best practices for storing, and using, 3rd party passwords in a Yii application.

There are still a lot of SaaS providers that use user-specific username/password authentication to access their API.

Where do we store this username/password inside Yii applications? Do we store them in plaintext?

This seems like a security risk but I’m unclear of any other solution. I’d much prefer handing off the storage of those passwords to a hardened provider of some sort, but, even then, wouldn’t I need to fetch that information and store it locally in plaintext (even if just in memory) to use it every time authentication against the 3rd party API was needed?

I wrote a native PHP application decades ago (and still use) for keeping passwords online. My personal passwords were going to reside on a rented server somewhere and I obviously did not want to trust the data will be secure at rest. So I created this application where of course the passwords would be encrypted. I used a 3rd party encryption library. The way to do this is to have a “salt” that will generate unique encryption for a given input and salt. In my application I did not want to store the salt on my server as the admins can see the salt! So I made the salt part of the login username and password that you used to first login. The only way to obtain the plain text password would be when data is in motion (on the server itself with xDebug) - which there is no way to work around that since you finally need the password - or, may be there is a way - you will have to use a JavaScript library that further decrypts the password on the client. It was too much to implement, so I did not go that far.

Below is the app - still available for anyone to use! It’s simple no-framework basic coding.