Moneydance+ Bank User/Password Save Location

wamzhskqmhwxphop's Avatar


13 Oct, 2021 04:10 PM

Hi, I'm supportive of moneydance+ as the banks really gave you/us no choice and I'm ok with $2/month to avoid the manual downloads.

However, I'm unclear on where Moneydance+ bank credentials are saved. I've never password protected my MD file as it's not necessary in my environment. When I click Forget Online Passwords, my moneydance+ connections still work without prompting me for a password. So, where is this data stored? In my MD file?

  1. 1 Posted by Stuart Beesley ... on 13 Oct, 2021 04:40 PM

    Stuart Beesley (Mr Toolbox)'s Avatar


  2. 2 Posted by Stuart Beesley ... on 13 Oct, 2021 05:14 PM

    Stuart Beesley (Mr Toolbox)'s Avatar

    Read this:

    In addition it’s unclear whether Plaid can initiate payments from your accounts. Some links say it’s read only, others that it can make payments.

  3. 3 Posted by dwg on 13 Oct, 2021 08:16 PM

    dwg's Avatar


    I believe you last sections describe how Plaid works with Open Banking. In the U.S. they could be using a variety of systems, with some I think Plaid would need to hold the username/password, with others it could be tokenised.

  4. 4 Posted by Stuart Beesley ... on 13 Oct, 2021 08:24 PM

    Stuart Beesley (Mr Toolbox)'s Avatar

    Dwg. I think you are correct. So it depends on your region.

  5. 5 Posted by Stuart Beesley ... on 13 Oct, 2021 08:27 PM

    Stuart Beesley (Mr Toolbox)'s Avatar

    Post updated accordingly. So for clarity, Plaid may store your userid/password depending on region. But MD never stores it (for md+).

  6. 6 Posted by wamzhskqmhwxpho... on 13 Oct, 2021 08:30 PM

    wamzhskqmhwxphop's Avatar

    Thank you for all the replies! My MD file is quite a few security layers deep in my environment but appreciate the recommendation.

    I had read that Plaid link but it's quite vague. Agreed that it is region dependent.

    So assuming Plaid does have your credentials, the only other layers are the read only and bank-side MFA. Moneydance+ puts a lot of trust in those layers and I'm not sure I agree.

  7. 7 Posted by dwg on 13 Oct, 2021 08:44 PM

    dwg's Avatar

    With the way some banks are moving if people want to have automatic downloads then Moneydance has little choice, the only thing they can do is identify an Aggregator that has the best policy and practices.

    In countries initiating Open Banking there is a frame work and legislated requirements so that is a more secure environment but you still need to ensure the aggregator has appropriate privacy polices and practices. I do not see that it would be viable for Moneydance itself to become a registered data recipient in the various countries under Open Banking.

    The choice people can make is to understand and accept the service or to not use the service. use manual downloads and import or indeed manual data entry it thus becomes the users choice at the end of the day, for some convenience and ease is the dominant consideration.

  8. 8 Posted by wamzhskqmhwxpho... on 13 Oct, 2021 08:55 PM

    wamzhskqmhwxphop's Avatar

    Totally agreed. Very unfortunate that we're being forced into collective data situations.

  9. 9 Posted by dtd on 13 Oct, 2021 09:46 PM

    dtd's Avatar

    Agree with the very unfortunate. Also, unfortunately, some institutions won't even provide a manual OFX download solution.

  10. 10 Posted by dwg on 13 Oct, 2021 09:56 PM

    dwg's Avatar

    It shows that customer service is not necessarily one of their most important objectives.

    Where there is open banking they have been dragged kicking and screaming, of course when the government has the power to ultimately cancel your banking license the choice they have is very stark.

  11. 11 Posted by Stuart Beesley ... on 14 Oct, 2021 06:44 AM

    Stuart Beesley (Mr Toolbox)'s Avatar

    UPDATED: Several points. Your moneydance dataset is already encrypted with a default passphrase if you don’t set it manually. However, this is useless protection if someone has Moneydance as they can open your data. I strongly suggest you set a MD password (and remember it of course).

    The old OFX functions can store your user Id and password within your dataset. But as you are forgetting passwords, then these get wiped. You can for example, use toolbox extension to see all your stored ofx data.

    MD+ is different. With MD+, MD never has your bank passwords and never saves them… When you register a connection, you are directed by Plaid to a login web page. Here you log in to your bank. I think it depends by county whether you are entering your password into Plaid, or your bank. In the U.K. (with Open Banking) for example, it’s the bank’s own webpage and not even plaid gets your password. (I would personally be concerned about entering codes into a non-bank webpage!). At this point, where you used the banks own login page, the bank then issues plaid a token - e.g. ahdhdgdgdgdgdv524gsf28mdDGDc524 which is the key(token) to get access to your account. Where you entered your userid/password into a Plaid webpage, I suspect Plaid is storing your details and then generating/issuing MD with a token. The key is anonymous and doesn’t really say who you are. Thus MD needs this key to connect via Plaid to your bank. This key (token) is stored (raw) in your moneydance dataset. MD also stores an encrypted copy of this token on its servers. MD encrypts this token with your dataset’s pub/private keys before saving. Only your keys can decrypt. Each MD dataset will generate a unique private/public key and this is saved in your dataset. Thus within your dataset you are storing your keys and your (anonymous) token. Hence I suggest you set a dataset password. Without your keys, your token cannot be decrypted by MD and you cannot access your accounts. Toolbox will show you some of this information if required, but it will hide confidential key/token data. FYI - your account numbers in MD+/Plaid are also anonymous. So you might have 123456 but the MD+ Reference is shsgsgGHG524GGfsgsg726ZZ for example. Hence the need for the match window.

    What I don't know (yet) is whether Plaid passes through the bank token to MD, or whether Plaid always generates it's own token for MD....

    So in all practical terms, you hold a token which directs MD+ to Plaid to your bank to your account. But MD and Plaid don’t actually know who you are. Where your bank is issuing tokens, Plaid does not hold your user/password; but in some countries Plaid may store your UserID / password. MD does store your email address on its server, but really uses it to know you are registered. Your dataset needs to be protected as it contains important stuff.

    Hope this helps, or was it gobdly gook?

    Note: this is all my understanding, and not the official IK response.

    (Not support, just a fellow user)

  12. System closed this discussion on 13 Jan, 2022 06:50 AM.

Comments are currently closed for this discussion. You can start a new one.

Keyboard shortcuts


? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac