This is generally sound advice but it's not a random side project of someone in that case. It's an official partner of the libraries so your suspicion is a bit misplaced.

It's a for profit company that sells its services to libraries.

I think suspicion of any company that asks for your password with a third party is warranted. Asking for credentials like this not only teaches bad security practices, but even if Kanopy is trustworthy today, the company could easily be sold to a less trustworthy owner and all the data from your library account siphoned and sold to data brokers.

It would be safer to do something where the sign-in occurs on the library's website as opposed to Kanopy's. But you should be able to verify on the applicable library website that they have a legitimate partnership with Kanopy and that this is a permitted use of your login credentials, e.g.: https://www.torontopubliclibrary.ca/kanopy-help/ and https://www.vaughanpl.info/databases/index/alphabetical/K

Kanopy redirects you to the library's own website to do the actual sign-in. And re-validates about once-per-month.

Librarian here.

Kanopy uses your card number and PIN to access an API for whatever ILS the library allows Kanopy to point to. Libraries allow access when they pay for giving access to Kanopy for their patrons.

However, in theory, this could give Kanopy access to try and harvest checked out materials via our catalog with these credentials. In practice, we haven't seen them doing this. Your PIN/password should after all be different from the ones you use for every website.

Edit: that should have said kanopy, not kaboom.