Review of the Stash Password Manager — Updated

The most secure password storage is offline. A criminal on the other side of the world can’t steal your passwords if they’re not on the Internet to be stolen in the first place. Until recently, storing your passwords offline has meant writing them in a notebook. One of my clients keeps all of her business passwords on 3x5 cards, in a locked desk drawer, in a building with a burglar alarm. Nothing wrong with that; a securely managed written list is absolutely acceptable.

It’s acceptable, but not perfect. For example, a written list can be lost or stolen. If it’s lost, you probably don’t have a backup copy, so every password has to be recovered manually with the “forgot my password” option. And if the list is stolen, well, your written password list probably isn’t encrypted, so whoever took it can read it.

The Stash Password Manager addresses these problems. It’s offline. It’s encrypted. You can make a backup. And — bonus — you can take it with you, because it’s tiny and portable.

Before I get into the details of the review, it’s time for full disclosure with some background information. In December of 2019, a friend asked me what I thought of the Stash card. At that time I had never seen a Stash card. I did some online research and then wrote my original review. (It contained information that is now outdated, so I deleted it). I tried to give an impartial report of the pros and cons, so my friend could decide if the Stash card was something she might want to try.

As it turned out, that review was more popular than I would ever have imagined. It got the attention of the people at Elsi, Inc., the parent company of Stash, in Edmonton, Alberta, Canada. They tracked me down, connected with me on LinkedIn, and offered me a free Stash card, no strings attached. I accepted their offer, and — spoiler alert — I told them that if I liked it, I’d write a second review.

My first Stash card! (Later, I bought a spare)

I’ve been carrying and using the Stash card for over a month now. I also conducted a video interview with some of the key players at Stash, and asked pointed questions about the technology, the hardware, and the software. In this article, I’ll describe the features, give you my analysis, and tell you why the Stash Password Manager is now a permanent part of my life. Oh — and I’ll tell you more about that interview, too.

THE FEATURES

The Stash card is the size of a credit card. It can store your usernames and passwords for hundreds of sites. Your login information is NOT stored on the Internet; it’s stored ONLY in the Stash card.

You can create your own passwords, or let the Stash card generate and store strong passwords for you.

Your login information is encrypted on the Stash card, and the Stash card is paired to your phone. If your Stash card is lost or stolen, your login information is safe from the average person because (1) they can’t connect to the card with their phone, and (2) the data is encrypted. This is not to say that a government agency with professional resources can’t recover your login credentials, but if your Stash card goes missing, you’re safe from all ordinary threats.

The Stash card communicates with your phone using Near Field Communication (NFC), just like Google Pay, Apple Pay, Samsung Pay, or other tap-to-pay services.

The Stash card uses no external power: no batteries, nothing to charge.

The Stash card works with Apple’s iPhone (iPhone 8 or newer, and iOS 13 or above) and Android phones (Android OS KitKat and above). The phone must be NFC capable. To use it, you must download the free Stash Password Manager from the App Store or Google Play.

The Stash card is manufactured in Canada.

The price for one Stash card is currently $49.99 (Canadian dollars). On 16 May, 2020, that converts to $35.43 (USD).

It’s a relatively new product; Stash began shipping Stash cards on October 24, 2019.

THE ANALYSIS

1) The technology is sound. The encryption is excellent. The Stash Password Manager uses AES-128 encryption. (But, Bob, why didn’t they choose AES-256?) Without going into the technical details, it takes longer than the age of the universe to crack all possible combinations of AES-128. Smartphones are fast, but still, the more complex the encryption, the more processing time it takes. AES-128 is plenty strong enough.

2) With the Stash card, your passwords can’t be stolen from web-based password managers because your passwords aren’t stored on the web. Use your favorite search engine and search for “password manager breach.” After you lose confidence in online password managers, do a second search for “browser password manager security.” Those search results will cause you to think twice about letting your web browser remember your passwords. Then you’ll know why storing your passwords in an encrypted card that you carry with you is more secure.

3) You can make encrypted backup copies of your login information. The backup file can be stored on your phone, and/or copied to some other secure storage location. Here’s a cool feature that I don’t think they tell you about on the website: there is no option to make an unencrypted backup. I’ve seen offline password storage systems for the Windows operating system that do permit the creation of a cleartext backup. That’s fine if you store it securely, but a lot of people don’t. If future versions of the Stash Password Manager include the option of creating an unencrypted backup (public pressure may lead to this), I’ll still advise you not to do it.

4) The Stash app has an autofill function that can be enabled or disabled. For websites that have autofill capability, this feature can save time and effort. Keep in mind that not all secure accounts can make use of this feature. Still, it’ll save time on those websites that support it.

5) The Stash app can generate passwords for you, up to — get this — 128 characters long! The password generator lets you control whether you use all four character sets (upper case, lower case, numbers, and symbols), or some subset. Personally, I’d never voluntarily use a password that didn’t include all four character sets, but there are still some accounts on the web where you can’t use symbols (also called special characters), so it’s nice that you have the option of what character sets are used for password generation.

SOME CONSIDERATIONS

1) If you let the Stash Password Manager generate passwords, and then you lose the Stash card, regaining access to all of your accounts might be cumbersome. In the worst case scenario, you’d have to go to each account and use the “forgot my password” option to regain access. You can avoid this, though, by purchasing a spare Stash card, which I highly recommend. Then, if you lose your Stash card, you can restore your backup file to the spare card in just seconds, and continue on like nothing ever happened. (You did make a backup file, didn’t you?)

2) The Stash card doesn’t work directly with computers or tablets. The Stash Password Manager is optimized for use with mobile phones. Your phone communicates with the Stash card using the wireless NFC protocol. Your desktop computer, your laptop, and your tablet don’t have NFC capability. For so many people who have gone to “phone only” for their personal Internet use, this isn’t a problem. For the rest of us, you can still use the Stash card with your phone, view the username and password, and type it into your computer. This is a minor inconvenience in exchange for the extra security of storing your passwords offline.

THE INTERVIEW

After using the Stash card and Stash app for a couple of weeks, I had some questions. I arranged for a video conference with several of the people at Elsi Inc., including Jerry Wolverton, CEO.

Foremost on my mind was the “big” security question: does the Stash app transmit my security credentials back to Elsi Inc.? The answer is a resounding “no.” In fact, the Stash app doesn’t communicate with the manufacturer at all. All the app does is read and write to and from the Stash card in your hand. The only other communication is between your phone and the app store. If you have automatic updates enabled, your phone (not the app) will download updates, but none of your credential information is sent to Google or Apple during updates. The app update procedure literally can’t do that.

My next question was about the switch. It’s a mechanical switch, so is it reliable? Well, yes it is! The switch is rated for 500,000 operations. If I use the Stash card ten times a day, that’s over 136 years. By the way, that switch is a super-important part of the security. Your data can’t be retrieved with an NFC “skimmer” by someone near you, because the NFC function on the card only works when the switch is pressed.

The pressure switch. For security, the switch must be pressed for NFC communications.

I also wanted to know if the Stash card could be paired to more than one phone at a time. So, if someone else installs the Stash app, can they read my Stash card? I got a reassuring answer: when a Stash app first writes data to a Stash card, they are uniquely paired. No other phone can read that card. By the way, this is another reason to make that encrypted backup file. When you get a new phone, you’ll download the Stash app and then pair it with your Stash card by writing the backup file to the card. Authentication credentials from the previous pairing will be gone.

Your Stash card is safe. The Stash app on another phone can’t read your card. I tried!

And last but not least, I asked about continued development. Are there any new features coming? Video conference calls are great — you can read facial expressions and body language. With smiles and twinkling eyes, I got my answer: stay tuned! There’s a lot more to come! (Hint: integration with computers, in addition to phones, is a high-demand item).

SUMMARY

Elsi Inc. sent me that first Stash card for free, but I liked it so much I bought a second card as a spare. I don’t want to be without it ever again.

My second Stash card. When I travel, I carry it in my suitcase.

The Stash card is a solid, reputable product, and it has excellent security-by-design.

Storing passwords on a card you own and carry is far more secure than web- or browser-based storage. When you combine the Stash Password Manager with Two-Factor Authentication (2FA), you’ve got powerful control of your online safety.

I’ve been carrying my Stash card in various ways to test it out: in my wallet, in my pants pocket with my keys, and in my shirt pocket. It’s good-looking. It’s durable. And it just works, time after time.

Do yourself a favor and buy two cards at once. Carry one card, and keep the other as an emergency spare. Always, always keep a current encrypted backup file of your Stash card’s contents. If you lose your Stash card, you can restore your encrypted backup file to the spare card. The “spare” will now be the card that’s uniquely paired to your phone, and you can continue on without skipping a beat.

DISCLOSURE — I am not affiliated with Elsi Inc. or StashPass in any way. I won’t receive any compensation from Elsi Inc. if you purchase products from them. Visit their website at: https://stashpass.ca/

ABOUT THE AUTHOR — Bob Young is Director of Information Security for a company with 700 retail locations. Public utilities hire him as a consultant to evaluate security at electric power plants. He has also taught cybersecurity courses at several colleges. Bob Young is available for cybersecurity evaluations at other companies, too. Reach out to Bob through the “Contact Us” page at his website: https://fifonetworks.com/contact-us/

CISO, Director of Information Security, and Security Consultant. Also, I wrote some books that have nothing to do with IT. http://www.amazon.com/author/bobyoung

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store