In July 2021, Synology introduced a new secure password manager, C2 Password, to its suite of Synology C2 services. Password managers (like 1Password, Bitwarden, LastPass) have become increasingly popular and necessary over the past few years as a means to foil hackers by having different complex password for every single one of your online accounts. Are you using a password manager? We will take a look at C2 Password features in this article and occasional comparison to my experience with Bitwarden.
Comparing with other password managers
|Price||Free||Free||Premium (US$10/year)||Free||Premium (US$3/month)|
|Max vault items||10,000||Unlimited||Unlimited|
|Encrypted file sharing||Yes||No||Yes||No|
|Cross-device syncing||Unlimited||Unlimited||One (1) device||Unlimited|
|Browser Extensions||Chrome, Edge||Chrome, Edge, Firefox, Safari, Opera, Vivaldi, Tor||Chrome, Edge, Firefox, Safari, Opera|
|Mobile app||* Soon||iOS, Android|
|Leaked credentials monitoring||No||No||Yes||No||Yes|
|* Information as of 7th August 2021|
In terms of core features, C2 Password is not too different from the incumbents. I have some suggestions or improvements in the later part of the article.
Synology C2 Password Features
This is the main web dashboard where one can create and organise login credentials and other personal information. These information are securely kept in Synology Cloud (Synology C2) and made available via the web portal or through web browser extensions (e.g. on Chrome, Edge). Synology highlighted that C2 Password mobile apps for iOS and Android will be available in the near future.
The passwords, items and stored files are protected with AES 256-bit encryption. The encryption and decryption are happens on your’s device so all data that leaves the device is fully protected. That is why you are required to key in their C2 Encryption Key whenever you login to C2 Password. This zero-knowledge design ensures that the C2 Password platform does not know the actual contents (cleartext/ plaintext).
The C2 Password can help you generate passwords with customisable length and complexity (e.g. uppercase, lowercase, numbers, special character). A complex/ strong password makes it difficult for hackers to brute force. Other than password generation, it is also capable of generating time-based one-time passwords (TOTPs) for websites and services that require two-step verification. Yes, TOTP is free unlike other password managers (i.e. Bitwarden).
Getting Started with C2 Password
Signing up and initial setup
You will just need a Synology account to start using C2 Password. Simply navigate to Synology C2 Password and click on the “Get Started” link on the top right hand corner.
Creating a new vault item
Compared to Bitwarden that I am using, there are more categories for vault items. Synology has templated the required attributes for each category for ease of form filling. For example:
- For Login, attributes like username, password, URL, etc.
- For Identity, attributes like full name, date of birth, address, etc.
- For Payment Card, attributes like full name, card number, CVC, etc.
Below, I will navigate through the process of adding a Login vault item.
Using the C2 Password with web browser extension
Setting up my Chrome browser extension
Installing the browser extension is not different from others, you can either search for C2 Password in the browser’s extension store (e.g. Chrome web store) or initiate the install via C2 Password web portal.
Using the C2 Password browser extension
The C2 Password browser extension will automatically fill in the necessary credentials when it detects the fields. It also presents an overlay on the fields in case we wish to make use of another stored credentials in the vault. This is unlike Bitwarden’s default method where the browser extension icon shows a badge on the count of matched credentials that can be used and one would need to select the matched credentials to fill the fields. There are pros and cons for each method. However, I must add that Bitwarden also as the feature of automatically filling fields (albeit experimental).
2FA logins withtime-based one-time password (TOTP)
Most websites support two-factor authentication (2FA) nowadays. While some of them relies on sending OTP via SMS or emails, majority support time-based one-time password (TOTP).
I created a vault item for my github.com account with the correct TOTP secret in the TOTP field. Do take note on the format or URI for the TOTP field.
Format : otpauth://totp/"display_name":"username"?secret="totp_secret"
The TOTP do not get automatically filled in like the username and password fields. You will need to click on the C2 Password browser extension icon, navigate to the suggested vault item and copy the TOTP. C2 Password will suggest and list the vault item at the top of the list.
Other C2 Password browser extension settings
On the option on when will C2 Password be auto-locked, I recommend changing it to “When screen is locked” from the default “On browser restart” as the minimum baseline if you have screen timeout and screen lock configured on your laptop/ desktop.
C2 Password also allows you to upload and share files securely to others. The sharing links can be valid up to 7 days and you can also limit the file to a single download (one time access).
|Feature||C2 Password – File Transfer|
|File size limit||100 MB|
|Number of recipients per file||1|
|Concurrent active file transfer||1|
|Transfer expiry duration||Up to 7 days|
|OTP to email address||Yes|
|Download only once option||Yes|
Currently, you can only share/ transfer one (1) file in the free tier.
Retrieving the transferred file
The recipient can access the file by simply navigating to the shared link address.
Avoid ambiguous characters in password generator
The password generator is great but it can be better by omitting ambiguous characters. Depending on the font-family used, 1 (numeral 1), I (uppercase i) and l (lowercase L) can be visually challenging when one is visually copying and pasting the password. This issue would be more pronounced when C2 Password releases the mobile app and users refer to their vault items on their mobile device but key in the password into their laptop/ desktop’s web browser.
More intuitive TOTP hint/ guide
Although C2 Password is using standard otpauth:// URIs, the example could be more intuitive instead of just “otpauth://TYPE/LABEL?PARAMETERS” as nobody would likely figure that they need to type in something like “otpauth://totp/github.com:email@example.com?secret=JBSWY3DPEHPK3PXP“.
Extensions for more browsers
Other than Chrome and Edge, consider supporting browsers like Safari and Firefox too.
With different complex password for different accounts, the Synology C2 Password gives users a fairly easy to use password manager. Users can improve their cybersecurity practices by shifting their passwords written on post-it-notes into the password manager and start having unique password for each of their accounts. For added peace of mind, Synology C2 Password is backed by end-to-end encryption.
If you already have a Synology account, just give Synology C2 Password a try. It is free anyway.