Thank you very much for chiming in so far.
I can minimize the potential danger quite a bit from what I see but being a paranoid type of person it bugs me very much that there isn’t really THE WAY to do this “right”.
I don’t have to worry about users needing access to enter or read the credentials at all. If needed I can get them over the phone and punch them in myself no matter how silly that seems.
Also, I can protect the users by setting up their third party service to only accept requests via those credentials if they come from my servers IP address.
I can even make the users use a truly randomly generated password as potentially I could be the one either setting this up, or telling them how to set up the passwords.
All of that amounts to “pretty ok” I guess, but the fact that someone who gets access to the server could still cause issues no matter what is what bugs me. No such thing as 100% safe on the interwebs