Frequently Asked Questions

What is my Stashword?

Your Stashword is a master password or phrase that only you know. This key is used to unlock your vault. When you want to view, edit or share your passwords you will need to provide this key. It is important to know that your Stashword is never stored in our database. In fact, it never leaves the device into which you type it. This means that if you lose your Stashword, we can’t help you. You will have to start over with your Stashword account.

What is the vault?

The vault is a representation of the encrypted/decrypted status of your information within your browser or iOS or Andapp session. When the vault is unlocked, it means your Stashword is stored to memory and your data can be decrypted. When the vault is locked, it means that all of your data is once again encrypted and you will need to unlock the vault (re-enter your Stashword) before you can view your passwords and notes.

What is my login password and how is it different from my Stashword?

With other password managers, someone who is able to guess your login info could easily access all your passwords. Remember your Stashword is different from your password so the security of your vault is multiplied right from the get-go without having to do any other setup. At Stashword, your login password can be thought of as how we verify your identity before we even let you near your vault. We use it to confirm your access before we pull your encrypted passwords from our server to your browser or device.

If the Stashword is the key to your safe, the login password can be thought of as the key to the closet in which you keep your safe.  It’s easy to understand from a security standpoint why the two keys should be different. We will keep a copy of the first key, and can fetch it for you if needed, but never the second.

In other words, we have multi-factor authentication by design  – right from the beginning – and not as an afterthought. This separates us from other password management solutions. Even if someone somehow guesses your login password for Stashword, your vault is still safe because it is locked by a completely separate Stashword.

If you are on a private computer or mobile device, you can choose to remain logged in to Stashword. We will remember your device and keep you logged in. This saves you having to memorize your login password, and make your Stashword the only password you will need to enter to access your vault.  Selecting “Keep me logged in.” means you will only need your login password if you are visiting from a new device.

What is third-party authentication?

Third-party authentication is an alternative to a login password. It’s a way of verifying your identity on your device by seeing if you are logged in to another application. For example, if you have authenticated your Stashword account through Facebook and you are logged into Facebook on your computer, we can use this information to automatically log you in to Stashword. We currently support third-party authentication through Facebook, but plan to add support for additional services in the future. Using third-party authentication allows you to skip the login process, but you will still be required to enter your Stashword in order to open your vault.

Users who sign up for Stashword via third party authentication can always create an additional login password to tie to their verified email in the case that they want to close their third party account without losing access to Stashword.

How is my login password saved?

First, a derived password is obtained by salting and stretching your password with a key derivation function (PBKDF2 using SHA256 HMAC for the technically inclined). This makes the password stronger and resistant to dictionary-based or pre-computed hash-based attacks. Only this derived password is sent to the server. The derived password is then one-way hashed again and only the hash is saved. This means even if you reuse your password from another website as your Stashword login password, it will appear differently in our database than in any other.

How is my Stashword used to lock my vault?

First a derived key is obtained by salting and stretching your Stashword. This will make your Stashword even stronger and resistant to dictionary-based or pre-computed hash-based attacks. This derived key is then used along with a unique IV (initialization vector) for each password to encode and decode your passwords. The encryption is done with industry standard AES 256 encryption which has never been cracked. This means that even if you have the same password value for two different websites, the encrypted value saved in our database will be different for the two websites.