shadowandy – my life stories

Dreams ∙ Passion ∙ Digital World

GuidesLifeReviewsTech

Synology C2 Password – Free Password Manager

Andy
Contents hide
1. Comparing with other password managers
2. Synology C2 Password Features
2.1. My Vault
2.2. Platform Security
2.2.1. End-to-End Encryption
2.2.2. Password Generator
3. Getting Started with C2 Password
3.1. Signing up and initial setup
3.2. Creating a new vault item
4. Using the C2 Password with web browser extension
4.1. Setting up my Chrome browser extension
4.2. Using the C2 Password browser extension
4.3. 2FA logins with time-based one-time password (TOTP)
4.4. Other C2 Password browser extension settings
5. File Transfer
5.1. Sharing file(s)
5.2. Retrieving the transferred file
6. Suggestions
6.1. Avoid ambiguous characters in password generator
6.2. More intuitive TOTP hint/ guide
6.3. Extensions for more browsers
7. Closing thoughts

In July 2021, Synology introduced a new secure password manager, C2 Password, to its suite of Synology C2 services. Password managers (like 1Password, Bitwarden, LastPass) have become increasingly popular and necessary over the past few years as a means to foil hackers by having different complex password for every single one of your online accounts. Are you using a password manager? We will take a look at C2 Password features in this article and occasional comparison to my experience with Bitwarden.

Comparing with other password managers

Feature C2 Password Bitwarden LastPass
Price Free Free Premium (US$10/year) Free Premium (US$3/month)
Max vault items 10,000 Unlimited Unlimited
Encrypted file sharing Yes No Yes No
Cross-device syncing Unlimited Unlimited One (1) device Unlimited
Authenticator (TOTP) Yes No Yes Yes
Browser Extensions Chrome, Edge Chrome, Edge, Firefox, Safari, Opera, Vivaldi, Tor Chrome, Edge, Firefox, Safari, Opera
Mobile app * Soon iOS, Android
2FA Login Yes
Leaked credentials monitoring No No Yes No Yes
Self-host option No Yes No
* Information as of 7th August 2021

In terms of core features, C2 Password is not too different from the incumbents. I have some suggestions or improvements in the later part of the article.

Synology C2 Password Features

My Vault

This is the main web dashboard where one can create and organise login credentials and other personal information. These information are securely kept in Synology Cloud (Synology C2) and made available via the web portal or through web browser extensions (e.g. on Chrome, Edge). Synology highlighted that C2 Password mobile apps for iOS and Android will be available in the near future.

Platform Security

End-to-End Encryption

The passwords, items and stored files are protected with AES 256-bit encryption. The encryption and decryption are happens on your’s device so all data that leaves the device is fully protected. That is why you are required to key in their C2 Encryption Key whenever you login to C2 Password. This zero-knowledge design ensures that the C2 Password platform does not know the actual contents (cleartext/ plaintext).

Password Generator

The C2 Password can help you generate passwords with customisable length and complexity (e.g. uppercase, lowercase, numbers, special character). A complex/ strong password makes it difficult for hackers to brute force. Other than password generation, it is also capable of generating time-based one-time passwords (TOTPs) for websites and services that require two-step verification. Yes, TOTP is free unlike other password managers (i.e. Bitwarden).

Getting Started with C2 Password

Signing up and initial setup

You will just need a Synology account to start using C2 Password. Simply navigate to Synology C2 Password and click on the “Get Started” link on the top right hand corner.

  • Creating the C2 Encryption Key. Do take note of the required complexity.
    Creating the C2 Encryption Key. Do take note of the required complexity.
  • Creating the C2 Encryption Key.
    Creating the C2 Encryption Key.
  • Do kept the Recovery Code somewhere safely. This is required if you lose your C2 Encryption Key.
    Do kept the Recovery Code somewhere safely. This is required if you lose your C2 Encryption Key.
  • All subsequent logins to C2 Password requires your to key in your C2 Encryption Key.
    All subsequent logins to C2 Password requires your to key in your C2 Encryption Key.

Creating a new vault item

Compared to Bitwarden that I am using, there are more categories for vault items. Synology has templated the required attributes for each category for ease of form filling. For example:

  • For Login, attributes like username, password, URL, etc.
  • For Identity, attributes like full name, date of birth, address, etc.
  • For Payment Card, attributes like full name, card number, CVC, etc.

Below, I will navigate through the process of adding a Login vault item.

  • The different type of vault items that you can create. For now, I am only interested in Login item.
    The different type of vault items that you can create. For now, I am only interested in Login item.
  • The attributes of the login item.
    The attributes of the login item.
  • Filling up the information for my Synology account.
    Filling up the information for my Synology account.
  • Additional custom field can be added too. I added another URL match for this login item.
    Additional custom field can be added too. I added another URL match for this login item.
  • Additional custom field can be added too. I added another URL match for this login item.
    Additional custom field can be added too. I added another URL match for this login item.
  • You can also mass import the vault items if you are migrating from some other password managers or you have a lot of items to create.
    You can also mass import the vault items if you are migrating from some other password managers or you have a lot of items to create.

Using the C2 Password with web browser extension

Setting up my Chrome browser extension

Installing the browser extension is not different from others, you can either search for C2 Password in the browser’s extension store (e.g. Chrome web store) or initiate the install via C2 Password web portal.

  • Installing the web browser extension is straight-forward. Simply search for it and add it to your browser.
    Installing the web browser extension is straight-forward. Simply search for it and add it to your browser.
  • Once added, you will need to login to the C2 Password web browser extension.
    Once added, you will need to login to the C2 Password web browser extension.
  • It will prompt you for the C2 Encryption Key. Remember the zero-knowledge encryption?
    It will prompt you for the C2 Encryption Key. Remember the zero-knowledge encryption?
  • After logging in successfully, all the vault items will be shown.
    After logging in successfully, all the vault items will be shown.

Using the C2 Password browser extension

The C2 Password browser extension will automatically fill in the necessary credentials when it detects the fields. It also presents an overlay on the fields in case we wish to make use of another stored credentials in the vault. This is unlike Bitwarden’s default method where the browser extension icon shows a badge on the count of matched credentials that can be used and one would need to select the matched credentials to fill the fields. There are pros and cons for each method. However, I must add that Bitwarden also as the feature of automatically filling fields (albeit experimental).

  • When I navigate to a website with a login form, the browser extension will autofill the credentials.
    When I navigate to a website with a login form, the browser extension will autofill the credentials.
  • If the password is wrong, I can also key in the correct password and update the vault item in C2 Password.
    If the password is wrong, I can also key in the correct password and update the vault item in C2 Password.
  • If the password is wrong, I can also key in the correct password and update the vault item in C2 Password.
    If the password is wrong, I can also key in the correct password and update the vault item in C2 Password.

2FA logins withtime-based one-time password (TOTP)

Most websites support two-factor authentication (2FA) nowadays. While some of them relies on sending OTP via SMS or emails, majority support time-based one-time password (TOTP).

I created a vault item for my github.com account with the correct TOTP secret in the TOTP field. Do take note on the format or URI for the TOTP field.

The TOTP do not get automatically filled in like the username and password fields. You will need to click on the C2 Password browser extension icon, navigate to the suggested vault item and copy the TOTP. C2 Password will suggest and list the vault item at the top of the list.

  • Adding an vault item for Github.com with my credentials and TOTP secret.
    Adding an vault item for Github.com with my credentials and TOTP secret.
  • The TOTP is generated periodically.
    The TOTP is generated periodically.
  • Automatic credentials filling using the C2 Password browser extension for Chrome.
    Automatic credentials filling using the C2 Password browser extension for Chrome.
  • Copying the TOTP. This is great as I need not visually copy and paste from my software authentication on mobile phone.
    Copying the TOTP. This is great as I need not visually copy and paste from my software authentication on mobile phone.
  • Copying the TOTP. This is great as I need not visually copy and paste from my software authentication on mobile phone.
    Copying the TOTP. This is great as I need not visually copy and paste from my software authentication on mobile phone.
  • TOTP accepted and logged in successfully.
    TOTP accepted and logged in successfully.

Other C2 Password browser extension settings

On the option on when will C2 Password be auto-locked, I recommend changing it to “When screen is locked” from the default “On browser restart” as the minimum baseline if you have screen timeout and screen lock configured on your laptop/ desktop.

  • Option on when C2 Password will be auto-locked.
  • I recommend changing to "When screen is locked" as the minimum baseline.
    I recommend changing to “When screen is locked” as the minimum baseline.

File Transfer

C2 Password also allows you to upload and share files securely to others. The sharing links can be valid up to 7 days and you can also limit the file to a single download (one time access).

Feature C2 Password – File Transfer
File size limit 100 MB
Number of recipients per file 1
Concurrent active file transfer 1
Transfer expiry duration Up to 7 days
OTP to email address Yes
Download only once option Yes
Watermark file Yes

Sharing file(s)

Currently, you can only share/ transfer one (1) file in the free tier.

  • You can upload a file or folder.
    You can upload a file or folder.
  • You can upload a file or folder.
    You can upload a file or folder.
  • Simply choose the file that you wish to transfer to your recipient.
    Simply choose the file that you wish to transfer to your recipient.
  • Some default options have been chosen.
    Some default options have been chosen.
  • The file transfer settings. I have changed the task name to be more reflective of the content.
    The file transfer settings. I have changed the task name to be more reflective of the content.
  • The link expiry date can be changed. The minimum is 30 mins and the longest is 7 days.
    The link expiry date can be changed. The minimum is 30 mins and the longest is 7 days.
  • It can do post processing of adding watermark to images.
    It can do post processing of adding watermark to images.
  • Summary of the file transfer before sharing.
    Summary of the file transfer before sharing.
  • Enter the email address of the authorized recipient. They can only receive the one-time password (OTP) at this address.
    Enter the email address of the authorized recipient. They can only receive the one-time password (OTP) at this address.
  • My selected recipient for the research info.
    My selected recipient for the research info.
  • Uploading the file and it is dependent on your Internet speed.
    Uploading the file and it is dependent on your Internet speed.
  • This is the link that you will share with your recipient.
    This is the link that you will share with your recipient.
  • You can share the QR code to your recipient too.
    You can share the QR code to your recipient too.
  • The list of shared file(s). Limited to 1 currently.

Retrieving the transferred file

The recipient can access the file by simply navigating to the shared link address.

  • The recipient will be prompted to enter his/ her email address.
    The recipient will be prompted to enter his/ her email address.
  • C2 Password does check if the email address is authorized to access the file.
    C2 Password does check if the email address is authorized to access the file.
  • Entering the actual recipient email address.
    Entering the actual recipient email address.
  • An authorized recipient will be prompted for an one-time password (OTP). The OTP would be sent to the entered email address.
    An authorized recipient will be prompted for an one-time password (OTP). The OTP would be sent to the entered email address.
  • The OTP arrived at the recipient's mailbox.
    The OTP arrived at the recipient’s mailbox.
  • Entering the OTP into the prompt.
    Entering the OTP into the prompt.
  • Entering the correct OTP reveals the details of the file.
    Entering the correct OTP reveals the details of the file.
  • You can preview the file (selected file types) and also download it.
    You can preview the file (selected file types) and also download it.

Suggestions

Avoid ambiguous characters in password generator

  • Is that a 1 or I or L?
    Is that a 1 or I or L?
  • No ambiguity here!
    No ambiguity here!

The password generator is great but it can be better by omitting ambiguous characters. Depending on the font-family used, 1 (numeral 1), I (uppercase i) and l (lowercase L) can be visually challenging when one is visually copying and pasting the password. This issue would be more pronounced when C2 Password releases the mobile app and users refer to their vault items on their mobile device but key in the password into their laptop/ desktop’s web browser.

More intuitive TOTP hint/ guide

Although C2 Password is using standard otpauth:// URIs, the example could be more intuitive instead of just “otpauth://TYPE/LABEL?PARAMETERS” as nobody would likely figure that they need to type in something like “otpauth://totp/github.com:shadowandy@somewhere.sa?secret=JBSWY3DPEHPK3PXP“.

Extensions for more browsers

Other than Chrome and Edge, consider supporting browsers like Safari and Firefox too.

Closing thoughts

With different complex password for different accounts, the Synology C2 Password gives users a fairly easy to use password manager. Users can improve their cybersecurity practices by shifting their passwords written on post-it-notes into the password manager and start having unique password for each of their accounts. For added peace of mind, Synology C2 Password is backed by end-to-end encryption.

If you already have a Synology account, just give Synology C2 Password a try. It is free anyway.

Check out Synology systems at Amazon.

 

Treat shadowandy!

If these step-by-step guides have been very helpful to you and saved you a lot of time, please consider treating shadowandy to a cup of Starbucks.  

This site contains links to Amazon. These links will take you to some of the products mentioned in today’s article. As an Amazon Associate, I earn from qualifying purchases.

You May Also Like

Attached the Atlas head support to the Herman Miller Aeron chair (classic).

Atlas headrest for Herman Miller Aeron chair

Andy

How to RMA your Synology products?

Andy

Synology DS412+ Review – Speed Test

Andy