Stash Card

How to store passwords outside of cloud and device?

As I wrote before, if you do not use a password manager you will eventually be hacked. But the debacle at LastPass shows that cloud-based password managers have their risks as well. Then the alternative will be to use an offline password manager, which I have written more in-depth in my book.

But as explained in my book, using an offline password manager has its own drawback- you have to be responsible for backing up and synchronising your password database file. For example, if you store your password database file on your laptop only, what if your laptop breaks down? You will need to restore your password database file from your backups. What if your backups is not up to date? Then you will lose some of your passwords. Another example: if you store your password database file on your laptop and your smartphone, what if you make changes to both of them and forget to merge the changes together? In this case, you cannot copy your password database file from one of your device to another because that will overwrite the changes made on the other device. So, you can see that if you are not merticulous enough and do not have a strategy to backup and synchronise your password database files, you may end up making a mess of your password database. For some people who are tech-savvy, they have come up with strategies like internal Wifi synchronisation, which has their own drawbacks and pitfalls too.

So, what if you want to use an offline password manager, but you do not want to deal with the problem of synchronisation?

Recently, I have got acquainted with a type of a password manager that is quite unique among all the password managers in the markets- Stash Password Manager. This product bypasses the synchronisation problem (which is not the same as solving the problem), leaving you to deal with the backup problem. This is how their Stash Card works:

There a few advantages in storing your passwords on an external Stash Card:

  • Your password database will be impervious to any malware swiping the entire database in one go.
  • There is no master password to remember.
  • The synchronisation problem will be bypassed because your passwords are only stored in one place (the Stash Card) which will be physically accessible by you all the time.

There are potential pitfalls to this solution:

  • What if you lose your Stash Card? Then you will lose your entire password database. Therefore, the companion app will always remind you to back up your Stash Card to an external file encrypted with your password. This is the password you will have to remember. Should you lose your Stash Card, you can restore your passwords from the external file to your Stash app, which will then function like a typical offline password manager.

In terms of usability, here are my observations:

  • The password manager is very basic in terms of features. There are no bells and whistles compared to the other password managers in the market.
  • Your passwords are accessible through an app on your NFC-enabled smartphone. If you want to access your passwords from your Mac or PC computer, you need to install a companion Stash+ app on your computer. Your passwords will flow from the Stash Card to your smartphone via NFC, and then from your smartphone to your computer via Bluetooth.

In terms of security, here are the key points:

  • Each Stash Card can only be paired with one smartphone. If your Stash Card is stolen, your passwords cannot be accessed from another smartphone. The implication is that you cannot share your Stash Card with another person.
  • Elsi Inc, the company behind this product, is working on a security white paper to explain how the security of Stash Passwords works. So, I do not have any opinion on how secure it is.

In conclusion, Stash Card is a very unique and interesting solution to your password problem.

2 Comments

  1. sychrnoisation > sychronisation

  2. Thanks for the heads up. I’ve corrected the spelling error.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from iSecurityGuru

Subscribe now to keep reading and get access to the full archive.

Continue reading