Synology launched their own password manager last month. It was called C2 Password. It is part of their new cloud based solution for storage, password management, file sharing, and backup. I'm guessing C2 means command & control as how it is usually known in IT world. Under C2 there's also Backup, Storage, Identity and Transfer.

Right now C2 Password is only available for single use which is free, with family plan coming in the future. With it you get to save 10,000 items in vault, password generator with strength detector, 2FA/TOTP authenticator, and also limited file transfer functions. It have browser extension for Edge and Chrome. It still doesn't have iPhone and Android app though, iPhone app coming in end of this year while Android app coming next year.



To use it, go to this link and click get started
https://c2.synology.com/en-global/password/overview

You need to have a Synology account to use C2 Password. If you don't have one, you can create for free, it doesn't need you to have Synology NAS to create an account.

After create account and sign up, you'll be greeted with this page. You can proceed to enter vault or install browser extension.

The presentation is very simple and nice. White background and black text with green highlight. Button is in green color for confirmation while grey for cancel or some menu button. If alert or caution such as confirming to delete, the button will be in red instead of green.


The first thing you need to do before using C2 Password is to create C2 Encryption Key. This is the key to access your saved items, whether you accessing it from vault or from browser extension. To recap, Synology account & password is for your account while this key is for C2 Password. You need to enter this key every time you use C2 Password, so better for it to be long with many combinations for security but still easily remembered.


After that you need to create Recovery Code. This code is for recovering your key in case you forgot it.

IMPORTANT! If you lose your key and this code, you'll lose access to all your passwords. Even Synology can't recover it since they don't know your key and code. You cry mother father also no use. So keep this code safely.


You need to key in C2 Encryption Key each time when accessing the vault.


This is the main page of C2 Password. You can import CSV file that contain all your data from other password manager. Most password manager support this format for exporting. It doesn't support json file though.


If you add new item, there's selection what type of item it would be. For Identity, it is similar to contact info, such as name, date of birth, address, phone, email, and so on. Bank Account as it's name, for banking info such as bank name, full name, account number, SWIFT code, address, and so on. Payment card is for credit or debit card, it have entry for card type, number, expire date, PIN code, CVC.


Login is what most people probably going to use this for. As the picture above show, it can add name for the login, URL which it will suggest if you open the extension on that website, tags for easy search, 2FA/TOTP if you want to add it into C2 Password, and also add additional field. It also will give indication if password is weak or strong.


After added Login, it will show as such. If click on the account, it will come out the details on the right panel. A bit of concern, the dots that's displayed in password is actually the same amount as your password. In browser extension it is also the same.

There's no function to create folder as way to organize all the entries. One way to organize is by using tags, if you used to use tags then it should be no issue.


It also have password generator where you can specify the length and which type of character to be included. It can't generate passphrase though, maybe this is something that can be added in future.

As with most password manager these day, C2 Password also have a file transfer function where you can attach files up to 100MB size. It is limited to 1 transfer per-day and the download link is valid up to 7 days. 


The link validity can be set at minimum 30 minutes or maximum 7 days. If the file is an image, it can also add watermark to it. You need to specify the recipient email address when creating the file transfer.


Once created, can copy the link for sending to recipient.


For recipient side, once they open the link and enter the correct email address, they'll receive 1 time pin on their email that's valid for 5 minutes.


The way Synology implement this, I feel it is quite secure that only the correct recipient can have access to the file. Even if others have the link, they cannot download it if they don't have access to the email that is specified for the transfer.


Synology also have Secure SignIn app as two-step authentication for login to the account. It can be enabled at Synology Account's Profile. With it enabled, to access the vault, one would need the account username/email, password, Secure SignIn and lastly C2 Encryption Key or Recovery Code. That is 4 challenges that need to be break which I feel makes using this password manager is quite safe.

C2 Password also have browser extension for Microsoft Edge and Google Chrome on PC. In can be installed in each respective store.


Once installed, you need to login to your Synology account and then put in your C2 Encryption Key.


The option for browser extension is simple and basic. It is not as much as other more matured password manager. It can do autofill username and password. If added URL on the login data, it would put the login on top as suggestion. Else, there's search option to find if you got too many entries. You can also key-in tag as search. About the URL, there's no option to specify how to treat the saved URL though, such as set it as exact then it will only suggest the login if it exactly matched. It is useful if you use different login for different sub-domain.

Clicking on "the guy" will copy username while the box with dots inside will copy password. Clicking on the right most arrow button will expand/collapse the login info. Creating new entry (click on the + sign) will open C2 Password webpage. It is the same if you click to edit existing entry. You can't edit or create entry on the extension, all have to be done in the vault. Only favorite/unfavorite an entry can be done in extension.

Password Generator function is also available in extension and it look and behave exactly same as the one in vault.

There's no much settings available for extension. You can specify to lock the extension after 15/30/60/240 minutes or after browser restart or when screen is locked. Once locked you need to enter C2 Encryption Key again to access it. There's no option to use pin as way to unlock. If you click Sign Out, it will sign out from Synology Account. Next time when you want to use it, you need to login to your Synology account first and then put in your C2 Encryption Key.

I feel C2 Password is an usable option for credential manager with added benefit of secure file transfer. It does feel lacking in some functions compared to other more established passwords manager, such as there's no option to use pin, clear clipboard after certain period, use dark theme, and timeout will log out. But having 2FA and file transfer is quite a big plus. In the end, as the app for mobile phone still not yet available makes it difficult to use this passwords manager since most people nowadays also use heavily on their mobile phone.

This seems a lot better than Keepass.

The name Synology gives the impression it’s a China product but it’s actually from Taiwan