Not necessarily. You can run CoyIM without Tor by removing the tor-auto proxy from the connection settings. Nevertheless, it is recommended to use CoyIM with Tor.

‘Not yet audited’ means that CoyIm is still under active development. There have been no security audits of the code, and you should not currently use this for anything sensitive.

Here are some useful resources to learn about what CoyIm uses:

• OTR
• TLS
• Tor Project

Here are some useful resources to learn more about security:

• security in-a-box
• EFF

Sadly no. The password for your configuration file is directly used to generate the encryption parameters that store the configuration file in a safe way. For this reason you will not be able to recover a lost password. Any other choice would not be secure, since if you can recover the password, someone else could also recover it.

We recommend the use of a password manager such as KeePassXC to store all your passwords in a safe way. That way, you reduce the risk of losing access to your configuration.

We often get requests to implement various features in CoyIM. And while we understand that most of these requests would be useful to many of our users, we will often say no, since most features would decrease the security of the application. Please take a look at the documentation about what features we won’t have for a more in-depth explanation of this issue.

If you do want to propose a feature, you can do so in our issue tracker here. Before submitting a new issue, we recommend that you do a quick search among previous issues to see if your request have been discussed before.

We regularly get the request to make CoyIM run on mobile devices. For several technical reasons, this is not really possible. The features of CoyIM and the way they are implemented and the philosophy of the product are all incompatible with a mobile device implementation. So, we will not create such an application.

We do believe that some of the ideas behind CoyIM might be useful in a mobile setting, but that would involve a completely new project, designed from the ground up for the mobile environment. It might happen in the future, but we do not have any immediate plans for it.

When you choose to encrypt your CoyIM configuration file, we will ask you to choose a password for this. The password will be run through an algorithm called SCrypt which will spend a lot of processor time to generate an encryption key, that will then be used to actually encrypt the file. This is a powerful technique which means that anyone trying to brute-force the password will have to use the same process to test whether the password is correct. In practice, testing one password against a CoyIM configuration file can take between 0.5 to 3 seconds, depending on your computer. This means that trying even just a few hundred passwords would take a long time for an attacker. So, the answer to this question is that the password doesn’t have to be extremely strong. It should not be “1234”, but it doesn’t have to be “pPfxIutXV3qUFt7kzbxAiAuhXYgNzrAgpToElLUamz8Q5fYFKhXYd57DI3ckX2Cktv2MeQ” either.

Yes, it should be completely safe. We encrypt the configuration file using a standard method which protect the information in it significantly better than other applications out there. This does assume that you have not turned off the option to encrypt the configuration file.

We get this question quite often, and for the reasons outlined here we don’t believe that supporting any other encryption protocol is a good idea for CoyIM. If you are interested in reading more about our perspective specifically about OMEMO, you can find several issues in our issue tracker about it here.

Your configuration file will be stored in different locations depending on the operating system. It will also have different names depending on whether it is encrypted or not. All of the below examples will assume that your username is “testuser”.