ONYX v1.2-beta - now actually comfortable to use
I’ve been working on ONYX for a while now, and v1.1 was honest about one thing — it was secure, but using it every day felt like a chore. This update is mostly me fixing that.
What’s new
- File uploads now show a preview and progress.
- Message forwarding — took longer than it should have, but it’s in
- Keyword search across chats
- Smooth send/receive animations — on by default if you search the settings, and I liked having them
- Tap a reply to jump to the original message
- Message pinning (local only for now — I want to add it for both sides in next patches)
Improved
- LAN mode stability — this one was long overdue
- General performance
Fixed
- LAN mode connection issues
- Various bug fixes
Still a lot to do.
If you want to follow what’s coming — there’s an update channel inside the app: 12e01467-c154-447b-84f8-133ae76684a1 (channel token)
https://github.com/wardcore-dev/onyx/releases/tag/v1.2-beta
Feedback in the comments is welcome.
Yes, 16 characters minimum. Since there’s no phone number, no email, and no alternative recovery method - the password is the only thing protecting your account. A weak password with no fallback is a real risk, so I set the bar higher intentionally. It also reduces brute force viability. Passphrases are supported but currently not used for login - just the password for now.
That’s a shame. It was my reason for uninstalling. I don’t have a password manager on mobile so there is no chance of me remembering such a long password, so it would lead me to either writing it down on paper, or worse, sending it to myself via a messenger so I don’t need to type it in all the time, which I feel in all cases is less secure than having a shorter but more complicated password (maybe about 8 characters).
I’m assuming other users may share my opinion, especially for a genre of app like a messenger, for which it is generally hard to convince people to install as they don’t want to leave their closed WhatsApp playpen.
Maybe a solution which caters for both worlds could be considered: recommend 16 but accept and warn if someone types in a shorter one (with a minimum of 8)?
Just take four random words, misspell a few of them, and there’s your long password.
You know that, I know that, XKCD knows that and that’s a great way to do it BUT- it’s not just four random words. It’s four random words per service/website I use, which starts to complicate things again.
Sure I can use a password manager on mobile, but Granny who wants to talk to Little Johnny on the messenger he recommended doesn’t have one, nor will she typically remember the four (slightly modified) words in 6 weeks time, meaning she will probably write it down on paper to remember, inherently more insecure than allowing her a shorter password, possibly with a special character she might be able to remember, in my opinion.
I understand the security requirements and why they make sense, but we’re in the field of messengers here, which are incredibly hard to get people to switch to at the best of times. If people are immediately hit with a hurdle at registration, it will probably scare quite a lot of them away if they’re already out of my comfort zone and I find that a shame for such a neat looking project.
I understand it’s not for everyone. But the 16-character minimum is there for a reason — your password is the only key to your account, no fallbacks, no recovery via phone or email. That requires a strong password. There’s a built-in password generator in the app — one tap, cryptographically secure, 16 characters, done. Save it once and you won’t need to type it again. Think of it like a crypto wallet seed phrase — you store it once somewhere safe and that’s it. If the priority is speed over security, Telegram is a better fit. ONYX was built for people who actually care about privacy, and that comes with a slightly higher entry bar. That said, I’ll consider dropping the hard minimum to 8 characters with a strong recommendation to use 16 — so people have the choice but know the tradeoffs.