I know that storing plain-text passwords in your database is a no-no; for login credentials, the typical solution is to store a hashed password (preferably with some entropy or salt). But what about sites that store your credentials for other services or sites? I'm thinking about things like Mint (www.mint.com). Since hashing is a one-way function, they can't hash my credentials. So are they encrypting it, and hopefully somehow keeping their encryption algorithm/data safe? Is it even possible for the encryption algorithm to be REALLY safe? What's the best practice for doing this sort of thing?
I'd really like to hear your thoughts, since I'm a little nervous about giving people my banking credentials, but also because it seems like this sort of thing is going on more and more with aggregator-type services (things like Friendfeed).