Synology C2 Password – Free Password Manager

In July 2021, Synology introduced a new secure password manager, C2 Password, to its suite of Synology C2 services. Password managers (like 1Password, Bitwarden, LastPass) have become increasingly popular and necessary over the past few years as a means to foil hackers by having different complex password for every single one of your online accounts. Are you using a password manager? We will take a look at C2 Password features in this article and occasional comparison to my experience with Bitwarden.

Comparing with other password managers

Feature C2 Password Bitwarden LastPass
Price Free Free Premium (US$10/year) Free Premium (US$3/month)
Max vault items 10,000 Unlimited Unlimited
Encrypted file sharing Yes No Yes No
Cross-device syncing Unlimited Unlimited One (1) device Unlimited
Authenticator (TOTP) Yes No Yes Yes
Browser Extensions Chrome, Edge Chrome, Edge, Firefox, Safari, Opera, Vivaldi, Tor Chrome, Edge, Firefox, Safari, Opera
Mobile app * Soon iOS, Android
2FA Login Yes
Leaked credentials monitoring No No Yes No Yes
Self-host option No Yes No
* Information as of 7th August 2021

In terms of core features, C2 Password is not too different from the incumbents. I have some suggestions or improvements in the later part of the article.

Synology C2 Password Features

My Vault

This is the main web dashboard where one can create and organise login credentials and other personal information. These information are securely kept in Synology Cloud (Synology C2) and made available via the web portal or through web browser extensions (e.g. on Chrome, Edge). Synology highlighted that C2 Password mobile apps for iOS and Android will be available in the near future.

Platform Security

End-to-End Encryption

The passwords, items and stored files are protected with AES 256-bit encryption. The encryption and decryption are happens on your’s device so all data that leaves the device is fully protected. That is why you are required to key in their C2 Encryption Key whenever you login to C2 Password. This zero-knowledge design ensures that the C2 Password platform does not know the actual contents (cleartext/ plaintext).

Password Generator

The C2 Password can help you generate passwords with customisable length and complexity (e.g. uppercase, lowercase, numbers, special character). A complex/ strong password makes it difficult for hackers to brute force. Other than password generation, it is also capable of generating time-based one-time passwords (TOTPs) for websites and services that require two-step verification. Yes, TOTP is free unlike other password managers (i.e. Bitwarden).

Getting Started with C2 Password

Signing up and initial setup

You will just need a Synology account to start using C2 Password. Simply navigate to Synology C2 Password and click on the “Get Started” link on the top right hand corner.

Creating a new vault item

Compared to Bitwarden that I am using, there are more categories for vault items. Synology has templated the required attributes for each category for ease of form filling. For example:

  • For Login, attributes like username, password, URL, etc.
  • For Identity, attributes like full name, date of birth, address, etc.
  • For Payment Card, attributes like full name, card number, CVC, etc.

Below, I will navigate through the process of adding a Login vault item.

Using the C2 Password with web browser extension

Setting up my Chrome browser extension

Installing the browser extension is not different from others, you can either search for C2 Password in the browser’s extension store (e.g. Chrome web store) or initiate the install via C2 Password web portal.

Using the C2 Password browser extension

The C2 Password browser extension will automatically fill in the necessary credentials when it detects the fields. It also presents an overlay on the fields in case we wish to make use of another stored credentials in the vault. This is unlike Bitwarden’s default method where the browser extension icon shows a badge on the count of matched credentials that can be used and one would need to select the matched credentials to fill the fields. There are pros and cons for each method. However, I must add that Bitwarden also as the feature of automatically filling fields (albeit experimental).

2FA logins withtime-based one-time password (TOTP)

Most websites support two-factor authentication (2FA) nowadays. While some of them relies on sending OTP via SMS or emails, majority support time-based one-time password (TOTP).

I created a vault item for my github.com account with the correct TOTP secret in the TOTP field. Do take note on the format or URI for the TOTP field.

The TOTP do not get automatically filled in like the username and password fields. You will need to click on the C2 Password browser extension icon, navigate to the suggested vault item and copy the TOTP. C2 Password will suggest and list the vault item at the top of the list.

Other C2 Password browser extension settings

On the option on when will C2 Password be auto-locked, I recommend changing it to “When screen is locked” from the default “On browser restart” as the minimum baseline if you have screen timeout and screen lock configured on your laptop/ desktop.

File Transfer

C2 Password also allows you to upload and share files securely to others. The sharing links can be valid up to 7 days and you can also limit the file to a single download (one time access).

Feature C2 Password – File Transfer
File size limit 100 MB
Number of recipients per file 1
Concurrent active file transfer 1
Transfer expiry duration Up to 7 days
OTP to email address Yes
Download only once option Yes
Watermark file Yes

Sharing file(s)

Currently, you can only share/ transfer one (1) file in the free tier.

Retrieving the transferred file

The recipient can access the file by simply navigating to the shared link address.

Suggestions

Avoid ambiguous characters in password generator

The password generator is great but it can be better by omitting ambiguous characters. Depending on the font-family used, 1 (numeral 1), I (uppercase i) and l (lowercase L) can be visually challenging when one is visually copying and pasting the password. This issue would be more pronounced when C2 Password releases the mobile app and users refer to their vault items on their mobile device but key in the password into their laptop/ desktop’s web browser.

More intuitive TOTP hint/ guide

Although C2 Password is using standard otpauth:// URIs, the example could be more intuitive instead of just “otpauth://TYPE/LABEL?PARAMETERS” as nobody would likely figure that they need to type in something like “otpauth://totp/github.com:shadowandy@somewhere.sa?secret=JBSWY3DPEHPK3PXP“.

Extensions for more browsers

Other than Chrome and Edge, consider supporting browsers like Safari and Firefox too.

Closing thoughts

With different complex password for different accounts, the Synology C2 Password gives users a fairly easy to use password manager. Users can improve their cybersecurity practices by shifting their passwords written on post-it-notes into the password manager and start having unique password for each of their accounts. For added peace of mind, Synology C2 Password is backed by end-to-end encryption.

If you already have a Synology account, just give Synology C2 Password a try. It is free anyway.

 

Treat shadowandy!

If these step-by-step guides have been very helpful to you and saved you a lot of time, please consider treating shadowandy to a cup of Starbucks.  

This site contains links to Amazon. These links will take you to some of the products mentioned in today’s article. As an Amazon Associate, I earn from qualifying purchases.
Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments