If you are not using some sort of password manager, I only have one question – Why? There are many options available but we are reviewing the C2 Password (Plus) from Synology. No you won’t need a Synology NAS to use this, it is an independent offering.
There is no excuse for not having some kind of password manager in this day and age. Our identities and information is only as secure as the value we place on it, and there are plenty of stories of identity theft that leads to years of pain trying to undo the damage, if ever.
I am not going into a full breakdown of dos and don’ts on password security, but the top ones I should point out are:
- Don’t write your password on a Post-It note and stick it under your keyboard. It’s the first place I look.
- Don’t write your password on a Post-It note and stick it on your monitor. It’s the second place I look.
- Don’t reuse passwords between sites. For goodness sake qwerty, password, 123456 are not passwords.
- Avoid using cross-site logins like Facebook or Google for logging into sites.
- Excel spreadsheet or a notepad file is not a password manager.
What is C2 Password (Plus)?
C2 is Synology’s cloud offering. Whilst they are better known for their solid NAS offerings and DiskStation Manager, they have been moving into the cloud software offering for quite some time under the C2 banner.
According to Synology, about 61% of data breaches in 2020 were the result of compromised credentials. People are still in the habit of reusing the same password across multiple accounts.
C2 Password, safe credential management, is designed from ground up with privacy in mind. The entire system is build to reduce the amount of sensitive user data that Synology has access to. In their own words, “it is impossible to lose, use or abuse data that one doesn’t possess.” This goes right down to the C2 encryption key that is used during authentication (more on this point later).
The full white paper is available here, and is a worthwhile read to understand the concept, design and architecture of this solution.
The key components of C2 Password are:
- My Vault – where all items of your credential management are listed and organised, using AES 256-bit algorithm.
- Shared Vault (Plus only) – where your credentials can be utilised by people who you have granted authorised access to. These people can use your credentials without having the details exposed.
- Password Generator – A place where you can generate passwords from 5 to 30 characters in a mix of letters, cases, numbers and special characters
- File Transfer – sharing of files securely with a time-bombed URL
C2 Password is entirely cloud based. As mentioned before there is no dependency on having your local Synology hardware. You do need a Synology account, either one you are using with QuickConnect, or signup on the webpage here.
Once you login, you will be asked to choose a plan – either the standard free plan or the Plus plan, the pricing varies depending on which datacenter you choose.
This here is important as the selection for the datacenter is less obvious, being a little dropdown box above the free plan. You can choose between:
- Europe (Frankfurt)
- North America (Seattle)
- APAC (Taiwan)
Choose carefully here because you can’t change this once you are committed.
The next step is to setup the C2 Encryption Key. Synology does not store a copy of it, so make sure you note it down and store it in a safe place. After this a recovery key is generated, in case you lose your Encryption Key. As the name says, the Recovery Key allows you back into the account in the event you lose the Encryption Key.
So when I (in a fit of silliness) started to look at C2 Password during the holiday season, I was obviously having way too much fun celebrating, guess who can’t find their Encryption Key *or* Recovery Key? Yours truly. There is zero ability to recover from that, other than to log a support call to delete the account and start again. When you go for the nuclear option, your subscription goes along with any remaining credits in the system.
The main feature of the C2 Password of course, is credentials management. As can be seen in table above, the feature set between the free and paid tiers are almost the same. The key difference is that with Plus, you can have up to 5 additional users (plus the owner) and have the ability to share entries from your vault.
At this point you can add your credentials in one by one. There are seven categories which have templates to store your essential data, these are:
- Login (website)
- Bank Account
- Payment Card
- Mail Server
- Secure Note
- Wireless Router
In each category you can further customise with adding custom fields, including the ability to attach a file.
The option to import via CSV file is only available to Plus subscribers. If you have an existing password file and want to move wholesale into C2 Password, for example I have 1346 entries in my list, then you want to at least take up the option of 30 days trial of Plus just to get your database across.
The sample template allows for Login type entries, and Synology refers you to the Knowledge Center for importing other categories. I gave that a try, suffice to say you want know what you are doing there. You can’t convert from one category to another once the record is created though.
With your credentials in C2, it is simple to just search for your entry, click on it and get all the details you need in one place. For website login records, you can hover near the URL and have it open in a new tab on your browser. After that it is a matter of copying your username and password into the correct fields for login.
You can move entries from your own vault into the Shared Vault and vice versa in the Plus plan. This helps keep shared credential secure in the same location.
The C2 Password vault works as a bucket to store all your credentials. At this point the only means of organisation is to add tags to your entries which can then be used to filter. The other option is to use the search function.
When an entry is updated, the record notes the date, time and user that modified it.
There is also a Recycle Bin for entries, where deleted items are kept in the trash for 365 days in case you accidentally deleted something.
C2 Password also comes with secure file sharing. This is not the same product as C2 Transfer and there are limitations. Files are limited to maximum of 100Mb in size, a single recipient, and only 1 active transfer link at any one time.
Link expiry duration has hardcoded intervals of 30 minutes, 3 hours, 24 hours, 72 hours or 7 days. You can limit to one download per file and add either text or image watermark to the file for security.
A nicely thought out security feature is the lack of automated emails notifying recipients of a file share. The onus is on the sharer to notify the recipient.
C2 Password has the ability to generate a time-based one-time (TOTPs) passwords for websites and services that require two-step verification. This eliminates the need for another app on your phone to generate your six digit 2FA tokens.
Having used many different credential managers, and also having well over a decade of a particular custom solution that I use, I am pretty opinionated about what doesn’t work for me.
The C2 Password solution has a built in password generator which is great, but the drawback is that is it not part of the password creation form. If you are already in the form, you have to cancel out of two screen (the form and then category), go to the profile icon, down to Tools, then Password Generator. Copy the password created, then go back into creating your form. Of course you can save what you have done previously, but still have to go to the Password Generator separately to achieve this.
Special characters in the Password Generator is limited to &^$#@ only. This is a silly arbitrary decision which is reducing the possible complexity of passwords.
The tags for filtering works well enough, but I really would like the ability to organise my data in a folder structure. Over 1000 entries is a lot to have on the same pane.
There is no history kept for your credentials. If you have changed your password and updated your entry in C2 Password, that’s it. You can’t go and view or restore the previous password.
At time of writing, there is no Android app (due 2022) and browser extensions only support Chrome and Edge with further support still coming.
Lastly the offering is purely cloud based. Ideally I would like the ability to keep the keys to my kingdoms on my local Synology NAS.
The C2 Password is Synology’s solution to a global problem, and it works as advertised. Realistically it is a credentials manager no better or worse than many other offerings.
It is a tough sell for someone who is already invested in a password manager, and there is no real compelling reason to migrate. There are definitely some drawbacks which I am less than happy about from an implementation decision and workflow point of view. The gripes are not fatal and certainly not an impediment to anyone new to the credentials manager game. It is a little disappointing that there is no support for Firefox or Android at this point.
On the plus side (see what I did there?), the C2 Password Plus subscription is very reasonably priced. The ability to share credentials with up to 5 other users is a valuable feature to centralise and manage entries.
The file share limitations cripples what is a very useful feature. Understandably Synology would prefer to push the C2 Transfer offering.
C2 Password is free. The Plus subscription various depending which region of the world you are in, but is around the $5 or Euro mark per year and it is a pittance compared to the benefits of sharing credentials with a trusted group.