Last month on June 29th, Synology has officially announced the new DSM 7 and with it, new C2 features.
In this article, I would like to reflect a bit on one of those apps, the new C2 Password, Synology's cloud-driven password manager.
C2 Password - Synology's freemium password manager
If you have been following me here on the site and on social media, you will know that I am an avid fan of the Bitwarden platform, and have several articles on the subject of self-hosting that solution on your own end using Docker.
The reason for this is that most other password managers out there are commercial solutions, and the "worse" part is, they are out there in the "cloud". So it is up to you to trust a 3rd party provider to guard all your passwords and other sensitive information on their end.
Well, I don't know about you, but that is not something I am willing to do. Truth is that nowadays, it's very hard to avoid "the cloud" unless you run your own platform for self-hosting, like a NAS or any other server-type device. That requires a lot of elements to make it work, so it is no wonder that most people will opt for the turn-key "cloud" solution and be done with it.
When it comes to password managers, there are no free solutions out there that will support multiple devices, users, syncing, etc, without a price tag, and C2 Password is no different.
Truth be told, as much as Synology solution is a "freemium", it offers a lot in its free tier.
Max. number of secure items > 10,000
Password strength detector
Cross-device syncing > 1
Secure file transfer
Upload limit per transfer > Up to 100 MB
Max. recipients per transfer > 1
Max. concurrent active transfers > 1
Transfer expiry date > Up to 7 days
One-time download option
Web browser Chrome, Edge, Firefox, Safari
Browser extension Chrome, Edge
Mobile app, iOS & Android* (end of 2021 for iOS, and 2022 for Android)
Pro tier has not been revealed yet regarding features or price, so that information is yet to come.
What's in the box?
So what can C2 Password do for you? As you can see from the list above, it is mainly a password manager offering a lot of items to be stored, it also has a password generator so you can keep all your items unique (as you should), and also it offers secure file transfers.
Like some of its competitors, it will be more than a pure password manager, but be sure to pay attention to how it works and with what platforms. As you can see from the same list above, C2 Password does not have web extensions support for Safari. Right there this is a deal-breaker for me. Sure I can use an alternate browser, but I don't want to, so there you have it. Forcing me to use Chrome or Edge (please!) over any other browser out there is something I am not ready to accept.
Aside from that, mobile apps are still not ready and will roll out eventually (iOS by the end of 2021, and Android at some point in 2022), so this is again not something that you want of the bat. If you decide to use this solution be sure that it will work on all devices you want when you want it.
Synology is trying to offer services that are going outside of their comfort zone when it comes to NAS devices, and that is a good thing, as you do not have to have any device made by Synology to use C2 Password. So if you are in the market for a password manager that is initially free and works on most platforms (or will in the future), but don't want to host your own (or can't), then C2 Password might be just what you are looking for.
Considering that C2 Password will be hosted on Synology's C2 infrastructure some might question the security of it all. Now if you are not open to hosting your own password manager platform like Bitwarden for example, you will have to trust some company to do it for you. In this case its Synology in another it will be 1Password for example. Saying this, let's see what Synology as a company has in place to protect the sensitive data that you will entrust them with.
As a platform on which users store sensitive data, C2 Password ensures that only the vault’s owner or those he or she entrusts can access the information contained in it. This is achieved through:
Passwords, items, and stored files are protected using AES 256-bit encryption. Encryption and decryption are carried out at the device level, meaning that all data that leaves the device is fully protected
The C2 Encryption Key, which is used to encrypt all data on the platform, never leaves the device on which it is created, greatly reducing the risk of credential leaks over insecure networks
Two-Factor Authentication (2FA)
Sign in attempts to C2 Password require a TOTP generated on a mobile device, ensuring that only rightful individuals can access stored data
C2 Password management
Let's see how C2 Password works when it comes to its main features and functions
Before you start using your C2 Password, you need to create your C2 Encryption Key.
WARNING! - In case you get an error while setting up your key in lower right corner of the window saying [object Response], DO NOT cancel out of the screen or the wizard will register your key as entered (and it is not) and will ask for a key next time out try to log in. This will fail, and the recovery code process DOES NOT WORK at the moment, so you will be locked out!
If all goes well, you will be logged into your C2 Password dashboard!
Create, delete and use items
Like any other password manager, C2 Password offers to make multiple types of accounts including a Wireless router object (??).
Depending on the type you will have various options to fill in.
In any case, you will have the option to extend the item with other custom fields if you need to (depending on the initial item category).
One thing that will probably be interesting to you is the fact that you will need 2FA (TOTP) protection for your login items. The problem at the moment is that C2 Password does support using it but the problem is that adding it to the item itself might be a bit of a problem.
The reason for this is that you will need to type it (or copy it) in the expected format.
otpauth://TYPE/LABEL?PARAMETERS is the expected format for 2FA, and with the lack of a mobile application (at the time of typing this article) you will not be able to scan the QR code, and entering a single number and letter string is not an option.
What leaves you is typing the expected format. This is an example of how an expected format looks like for a live Matomo 2FA:
Now before you start cursing, there is a way to get this information without the C2 Password mobile app. Use an ordinary QR code reader app to get the URL from it and paste it into the field. Yes, not the clean solution but at the moment it is what it is. The point is that 2FA works fine, but you will have to make an effort for it.
As I pointed before (at the moment) only Chrome and Edge browser support this feature, and as I don't use any of them I can't show how the extension works (I choose not to install those browsers).
There is an extensive KB article on the matter of how to set it up and what you need to do to combat Chrome autofill problem, so be sure to check it out.
Import items from other managers
This is something that you will expect a password manager to have, and C2 Password does. Still, saying this, you will have to customize your current password manager export (like Bitwarden for example), before importing the data into C2.
The reason for this is that C2 uses a specific CSV Template before importing your data.
The following KB explains what are the expected headers in the CSV file regarding the name and expected data type.
Here are also limitations when importing data into C2 Password via CSV:
- C2 Password currently only supports importing login items from CSV files. File attachments and items other than logins will need to be manually added to your Vault.
- Please save your prepared CSV files in UTF-8 (8-bit Unicode Transformation Format).
- Each CSV record will be displayed as an item in your Vault. C2 Password does not check if the items in your CSV import file are duplicates of items in your Vault. This means that if an item already exists in Vault, importing the same item will create a duplicate Vault item. Before importing, we recommend that you do either of the following:
- Editing your import file to include only the new Vault items.
- Clearing your Vault login entries prior to the import operation.
So, not the cleanest solution, but there is documentation on how you can alter your export and get it aligned with C2 Password before importing. Considering that this is a one-time action, probably not the end of the world, but it is expected for a password manager to not be out-of-the-box compatible with other competitive products out there.
With a CSV export/import solution you can basically import data from any product out there, but you will have to put some effort into it.
The benefit of using a password manager is that you don't have to think about your next complex password. You can leave that task to the password generator and just forget about it. The best way to protect your accounts is to not type in the password at all.
This feature is nothing special but I do have to note that you will have a maximum of 30 characters (at least at the moment). Now this will be enough with maximum complexity for most users, but limiting to 30 is kind of puzzling as the password field allow 64 characters. Not making sense to me why the limit of 30 is enforced here, but there you have it.
One problem that I do have a problem with is that you can't invoke the password generator when adding an item. Meaning you will have to generate the password, and then open the creation of a new item in order to paste it in. Again, only 30 chars long, so if you want a more complex password you will have to manually combine it.
Not the end of the world, but, a bit of a bitter taste when it comes to making password manipulation easier for users using a password manager.
Secure file transfer
Apart from using it as a password manager, you can also send secure items to 3rd party users to make sure that the data is protected at all times, end-to-end.
You can add files and folders in a single task to send it securely to a 3rd party. Using the Upload button will allow you to add the items and then configure the task using the wizard.
Once you add the file(s) you want to send you can configure various options. From task name, expiration date, limits, even apply a watermark.
Once you have configured it and depending on your subscription you will have the option to send it to your recipients.
When you recipient receives the URL they can access the file and view the content.
Another way to get your transfer is to use the QR code to scan the request and start the process of accessing the files.
With this version 1 of C2 Password, Synology has made it clear that they want to utilize their C2 platform a bit better, but there is room to improve on the current version in multiple elements (import, web browser support, extensions, password generator), and hopefully, that will happen soon.
For now, a decent solution if you are in the market for a free password generator, but compared to the likes of Bitwarden for example, there is much to desire on top of what the platform offers at the moment.
So are you ready to make the jump? Even if you don't want to hand over your keys to Synology and their C2 cloud to safeguard your data, maybe this article has at least made you think a bit about your password policy and how good or bad you are handling your own accounts. Hopefully, by the next #passwordday, you will be more protected, organized, and secure for your own sake, regardless of the platform you choose.
Will Synology make a long run with C2 Password, well IMHO, there is a huge market for those types of tools, especially today with all the leaks, hacks, and whatnot. Try not to be part of any statics, and get yourself a password manager, be it C2, or any other out there.
Let me know what you think about this solution, as well as do you use a password manager in the first place, and if so, which one. The comment section below is open!