The Problem

The problem with passwords is that they are guessable. We in the industry have long tried to make it harder for attackers to steal the passwords of users, much to the detriment of the users. By increasing the requirements the user is forced to use tricks to have a chance to remember their passwords. This could be password reuse, writing the password down on the desk, or using some (guessable) personal information. All these are detrimental to the security of the account.

So what can we do. Lets break down some recommendation and risks:

Password Length and Complexity

Every time you create a new account online, you are asked to create a new password. Usually there are a password length requirements, as well as requirements to use at least three of upper case, lower case, numbers and special characters. But how much does this affect the security of the password?

XKCD has a nice comic about this, highlighting that a random string do not add as much security as it gives headache to the user. A better approach would be to use four random words as a password, or even a passphrase. This would increase the security, while minimizing the difficulty to remember the password.

Password Rotations

For a while it was recommended to force password rotations to ensure that even if the password was stolen, it had a limited lifespan. However, this makes it even more difficult for the users to remember their passwords, meaning that the passwords in use gets worse.

Of course you will need to change your password if it gets leaked or stolen, but until then it is better to have a good password and keep that. A good long and unique password will keep your login secure, without needing frequent change.

Two Factor Authentication

The best way to mitigate the risks with passwords is to not fully trusting them. By requiring a second factor for authentication the security skyrockets. My recommendation is to use a two factor authentication app (such as Google Authenticator) for all services that allows it. This will make it a bit more tedious to sign in, but it will 100 % be worth it if it saves you from being hacked.

There are a couple of different ways two factor apps can be used. The most common is that the app generates a rotating 6 digit code, that you enter as a second password. The service can then validate that you have the same app that you used when creating the account. Another alternative is that when you sign in you get a number, this number you enter into your app to validate that you are the one trying to sign in.

The main thing with two factor authentication is to only approve sign-ins that you have initiated. Never give your two factor code to someone calling you, or enter it on an untrusted website.

Password Managers and Login with other Services

Due to the sheer number of accounts we all need to use regularly makes it almost impossible to remember all passwords. Therefore there are two alternative ways to minimise the number of passwords you need to remember.

First of we got password managers. This is a software that helps you create and remember good and unique passwords. By storing the passwords, and syncing them between devices it allows you to just remember a single password. Sure there is a small risk with putting all information into a software, but compared to the risk of using bad passwords, it is manageable. However, you could remember a couple of your most important passwords (i.e. your bank login) ensuring that it will not be compromised if your password manager gets compromised.

An alternative is to use “Log in with XXX”. This feature means that instead of creating a new login, your account gets linked to another service (such as Google or Facebook) and that is used to sign in. This also lets you not remember your password. However, this comes with at a cost, your privacy. Whenever you sign in with another service, that service knows that you signed in. If that is something you are OK with, you are good to continue using the feature, otherwise, you will have to look for other ways forward.

Passwordless Authentication

There is a new way of signing in begining to gain popularity, Passwordless sign in. The tech behind this way of signing in is quite interesting, and might be a topic for a future blogpost. However, there are few sites where it is implemented so I will just leave this as a tease.

Summary

So there are many risks with passwords, and it is difficult to keep up whenever the best practices changes. At the point of writing, I would give two recommendations.

1. Everyone should use Two Factor Authentication. It is the best way to secure your accounts, and should be the bare minimum for important accounts.
2. For those who want to take an extra step, and improve their security posture, a trusted password manager is a great investment. It might take some time, but when you do not have to remember your passwords any more you will thank me. I you want to learn more about password managers I have heard good things about both Bitwarden and 1Password.

Stay secure out there!

I won’t dig deeply into the quality of the code produced by AI today, but for now I wouldn’t trust code written by AI to be run in production without rigorous code review and testing. However, if we assume that AI in the future would be of a quality high enough to be run, what would the impact be on Developers? I would argue that this is not a new problem, but a new version of an old problem.

In the early days of programming, developers had to write complex assembly to tell the computer what to do. Then came the compilers and high level languages! This new tech would allow new users with less understanding of computers to develop programs! Doesn’t that sound familiar? However, this did not limit the need for developers. It limited the need for assembly developers, but the need for modern developers skyrocketed.

My prediction is that the same will happen now. The need for traditional developers will fall, but instead we will need a new breed of developers. Developers that know how to prompt AI to create software according to the requirements of the business. Even though a developer will be more efficient the need for software will increase even more, meaning that there will be need for even more developers.

Before we get to this future we need to solve some issues at hand. Using AI for coding introduces new risks, but that we’ll have to save for another time.

What is Mastodon?

The main selling point of Mastodon is that it is a decentralised social network. Think of it as combination of Twitter and Email. Just as Twitter, Mastodon gives you a timeline of posts by people you follow. However, it is not a centralised system, instead you chose your Mastodon instance. That way your username looks as an email address. Mine for example is @edbro@swecyber.com, and my posts can be seen by any other instance.

This is called a federated solution. You work towards your instance, that shares its data with other instances. In practice this minimises the dependency on a single centralised entity. If you wish to change instance due to a lack of trust, it not being maintained or closed down you can just export your data and import it on a new instance. That could be on a personal instance or one of the larger ones that is already existing.

For now it seems to be mostly tech people whom have migrated from Twitter, but there are others as well. However, since each instance usually have a focus, this might be somewhat due to the my choice of instance to join, and the people I follow.

This design of Mastodon puts a big responsibility on its users to follow accounts with diverse opinions to not end up in a bubble. There is a risk that if you only follow people with opinions like your own, they will be further deepened, regardless if they are right or wrong. It is up to the user to ensure that views are challenged in a good way and that everyone uses their critical thinking to not be fooled by malicious actors.

Main Differences from Twitter

The main things that confused me was the likeness of twitter, while Mastodon is different. Some things that seem similar works quite different.

• There is no algorithm. You see the posts authored (or boosted) by the pepole you follow. If you want to find new people to follow you can also see the timeline of your instance and instances configured by its admin. However this timeline is sorted chronologically, and all posts of those instances are shown.
• The difference between Boosts, Favourites, and Bookmarks.
  • Boosts are retweets. On Mastodon they are used to further spread a post. This allows your followers (regardless of instance) to see the original post. Note also that it is not possible to quote boost. If you want to add something to the discussion, you need to do so as a reply.
  • Favourites shares some features with likes. They can be seen on an original post, but does not push the post to your followers. Also note that there are no algorithm pushing posts with many likes. Therefore the effect of favouriteing is limited.
  • Bookmarks are a way to save a post so that you can find it again later. These are seen by neither the author of the post nor your followers.
• The search does not search the full text. Instead only displaynames, tags, and usernames are searched. In addition, searches can only find things the instance is aware of. For example that could be posts that are federated to the users of the instance or the authors of those posts. To find a user of another instance you need their full username, including the address to the instance.
• Each post is tagged with a language. This makes it possible to use 1 account to communicate in different languages. Your followers can easily filter your posts to the languages they speak, and does not see the posts in other languages.

Thoughts on Mastodon

After getting used to the behaviour of Mastodon I really like what it does. It is a nice social network, and allows for discussions and networking in a way that twitter today doesn’t. It is easier to perform personal moderation of what I wish to see.

I have found a small instance with individuals interested in cybersecurity. This however does not limit me, I still partake in the broader community, replying to posts or sharing my thoughts from the beginning.

Hope to see you on Mastodon!

Buidling the Site

The first thing to do when migrating is to find a new theme and adapt/move things into it. I ended up choosing PaperMod, due to its simplicity in combination with a modern look and feel. With that out of the way it was time to move my logotype and descriptive texts. In both cases this kind of information is stored in the configuration files.

The next step is to move the actual contents of the blog. In Jekyll this is stored in two folders (at least in my case):

1. The posts: /_posts -> /content/posts
2. The images /assets -> /static/images

With this out of the way it is time to go through every single post to update the syntax. The first thing is the metadata of the posts, the top of my markdown files. In my case there was no difference. The following is the configuration is what was used in Jekyll.

1
2
3
4
5
6
7
8

---
layout: post
title:  "Building a Webpage"
date:   2020-08-19
categories: "Projects"
tags: ["Jekyll", "Projects"] 
author: "Oskar Edbro"
---

The layout is just discarded, and the rest have the same functionality in both Jekyll and Hugo. With this knowledge it is time to look at how each post looks. And sadly there is a difference between how images are included. The good thing is that Hugo better handles the default image syntax from markdown. This means that images can be included as shown below:

![A phone with apps seen as privacy violations](/images/2022/The-Modern-Con/The-Modern-Con-Privacy-Violation.jpg 'Photo by Jeremy Bezanger on Unsplash')

With that all the modifications required for the application is finished. The next step is to polish the site with information and ensure that all information is available.

Hosting

Setting up the hosting i Decided to use GitHub Actions instead of just using the Cloudflare auto build (as I did previously in Migrating to Cloudflare). This means that I am required to learn some thing about how to create a CICD Pipeline.

Getting everything to play nicely was a bit of a hazel, especially since I to insisted on separating the build and deploy actions into different jobs. In the end, the issue was in regards to saving and then retrieving the artefacts. When that issue was solved all went smooth. So how was it done? To build the page I used the following job:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v3
        with:
          submodules: recursive
      - name: Setup Hugo
        uses: peaceiris/actions-hugo@v2
        with:
          hugo-version: 'latest'
          # extended: true
      - name: Build with Hugo
        env:
          # For maximum backward compatibility with Hugo modules
          HUGO_ENVIRONMENT: production
          HUGO_ENV: production
        run: |
          hugo \
            --minify 
      - name: Upload artifact
        uses: actions/upload-artifact@v3
        with:
          name: site
          path: ${{ github.workspace }}/public
          retention-days: 7

Noteworthy things are the use of an existing Hugo build action, and saving the artefacts to my GitHub workspace. We also make sure to minify the generated HTML, just to save a bit of data. It does not make much difference, but every little bit counts. For the deployment, there are just two steps. Downloading the artefacts we saved, and then uploading them to Cloudflare. The project name has however been masked.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

  deploy:
    runs-on: ubuntu-latest
    name: Deploy
    needs: build
    steps:
      - name: Download a single artifact
        uses: actions/download-artifact@v3
        with:
          name: site
          path: ${{ github.workspace }}/public
      - name: Publish
        uses: cloudflare/pages-action@1
        with:
          apiToken: ${{ secrets.CF_API_TOKEN }}
          accountId: ${{ secrets.CF_API_ID }}
          projectName: XXXXXX
          directory: ./public
          gitHubToken: ${{ secrets.GH_PAT }}

Summary

So in the end, it took more time than expected to migrate to Hugo. However, most of the time spent was in learning things. How to use GitHub Actions, how Hugo works, etc. With that out of the way, it was quite easy. Now, the next step is to start modifying the small things to get the theme even better.

The experience of publishing new posts is about the same as when hosting on Github, you just push an update to the specified branch and then a build is triggered that will be published upon completion. The main difference is that the build process is somewhat slower in Cloudflare than on Github. This means that a build can take about 5 minutes, instead of the previous 1. This is most likely due to the fact that Cloudflare pulls everything and builds locally, instead of using Jekyll remote themes.

When the post is published, there are no major difference for the user, however the statistics for the creator is much deeper. The pure web analytics (provided by JavaScript) could be implemented wherever the site was hosted, but there is more. The web analytics is the most detailed analytics, since it provides what posts were visited, referrers, user agents and more. The Cloudflare proxy analytics on the other hand does not require JavaScript, and can therefore not be blocked. The amount of information provided is not as detailed, but it gives a broader picture of the visitors. This data contains unique visitors and their origin country, but not much more. This could be seen in the web statistics as well, but that tracking is easily blocked.

Even though I have a quite negative stance on tracking, I think that information that is collected in the server anyway can be shown to the content creator without infringing the readers privacy. By being able to track number of readers it’s possible to gain insight in the trends depending on the type of content published. For this blog for example I can from the statistics note that the most interesting content is in the divide between technical security and policies. For example Spotify GDPR Analysis is one of the most read articles on the blog, and it was written before I added analysis, and posts are often read the most directly at launch.

Getting back to the topic at hand, the experience of using Cloudflare, it gives the possibility to handle everything at a single location. This includes managing the domain as an registrar, hosting the application, managing TLS certificates and much more. The only thing I’ve found that is a bit tricky is that I’ve not found a way to register a new domain, only to transfer an existing one. With that said, I’ve been very happy with my switch to Cloudflare, it gives me the tools I need for my blog, and just works.

Methodology

To perform this test I created a new virtual machine based on Windows MSEdge win10 VM. In this VM I installed the browsers intended to be tested, using the default configuration. After that I configured BurpSuite as a proxy for the VM, so that all traffic is routed through it. This way it will document all the traffic that the browser in the VM is sending.

There are three steps of testing for each browser. First just opening the browser, secondly entering the address example.com and lastly navigating by pressing learn more.

No investigations will be performed in against the in private browsing for the browsers. This is left for further investigation further down the line.

Microsoft Edge

When opening edge you are greeted by the bing feed, and that shows when looking at the traffic as well.

After just starting the browser there are traffic to 9 different domains:

• assets.msn.com contains data in a JSON format that tells the browser what to show on the homepage. This includes news, where images are stored, weather and more.
• browser.events.data.msn.com collects data from the browser. It seems to be analytics for the homepage, containing information about what is shown. This URL will be interesting to investigate further when navigating.
• config.edge.skype.com sends some identifiers to the server, and in return get a set of settings.
• edge.microsoft.com seems to be regarding updates for the browser. It asks about blocked extensions, updates for the browser etc.
• img-s-msn-com.akamaized.net Contains the images described on assets.msn.com.
• nav.smartscreen.microsoft.com sends data about the client and the device. This is another one to keep an eye on.
• ntp.msn.com contains the structure of the homepage, this includes the HTML and the scripts that initiate the loading of the homepage.
• www.bing.com the search engine, the traffic contains information about search history and sign in status.

Moving on to investigating what happens when navigating to a page will be interesting. and it begins as expected. Since the address bar doubles as a search box, its expected for each character entered to result in a new request to bing. This means that while entering example.com, Edge will also send a get request for every character. The last one sent to bing is: https://www.bing.com/qbox?query=example.com&language=en-US&pt=EdgBox&cvid=2c574712e0694ac3b9fce0aa5af8bb1f&ig=0a41dcb2e4f247abbb729fc313bf5e7f&oit=3&cp=11&pgcl=1, which contains the full URL. Following this there are some more statistics, however it is not more noteworthy than previously described.

Next one is a real problem however. The full URL is sent in a post request to https://nav.smartscreen.microsoft.com/api/browser/edge/navigate/2/sync. The dataset shown below is highly problematic, it should not send data about the users browsing habit to Microsoft. In addition to the URI, the IP field is highly worrying. If this is filled with internal IPs, it may leak information about the internal workings of networks. Note that this information is sent both when entering the URI manually, as well as when navigating the web by pressing links, and it contains both the path and URI parameters.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

{
    "config":
    {
        "device":
        {
            "appControl":
            {
                "level": "anywhere"
            },
            "appReputation":
            {
                "enforcedByPolicy": false,
                "level": "warn"
            },
            "pua": null
        },
        "user":
        {
            "uriReputation":
            {
                "enforcedByPolicy": false,
                "level": "warn"
            }
        }
    },
    "correlationId": "89CFA157-04D4-412A-98BB-709B71C615D3",
    "destination":
    {
        "ip": null,
        "uri": "[http://example.com/](http://example.com/)"
    },
    "forceServiceDetermination": false,
    "identity":
    {
        "caller":
        {
            "locale": "en-US",
            "name": "anaheim",
            "process": null,
            "version": "90.0.818.66 (Official build) "
        },
        "client":
        {
            "data":
            {
                "customSettings": "F95BA787499AB4FA9EFFF472CE383A14",
                "customSynchronousLookupUris": "0",
                "edgeSettings": "2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1",
                "synchronousLookupUris": "637573832200302234",
                "topTraffic": "637558215533797649"
            },
            "version": "281479409434625"
        },
        "device":
        {
            "architecture": 9,
            "browser":
            {
                "internetExplorer": "9.11.17763.0"
            },
            "cloudSku": false,
            "customId": null,
            "enterprise": null,
            "family": 3,
            "id": null,
            "locale": "en-US",
            "netJoinStatus": 2,
            "onlineIdTicket": "t=GwAWAd9tBAAUCqvYdtHJRIwInP+r5YPm2nbkkcAOZgAAEJ/wJWzYvXJk2hg0pJqfC2bgAEIj8X67eJZgKm+QThVvKp4Pf8o2ZzOaAXSFVEgq9EalUkWdryzr8v31XssotVR3TTY4qVre++0pt/cdfd0BFmp51zVLf348JdKxQhYIowBw3CA44g5aEBxqprJm0rya6ydnDJaGbuxnumU8USS8KjKgyarnmEdamOuwQArEh2IdE0dBC/qghRR9YhCoBcoJWcUaQViqx4ZyWq+DyIEQuZRzf/T2UqHWvd5zzDPpUBcnqXV8hAfRISO36nnQMqYdFgx26hzL4T/Ye7M+LLbnfkpr7qblGQBMZOyemn3NJBMbHQE=&p=",
            "osVersion": "10.0.17763.1935.rs5_release"
        },
        "user":
        {
            "locale": "en-US"
        }
    },
    "referrer": null,
    "serverContext": null,
    "signals": null,
    "synchronous": true,
    "systemSettings":
    {
        "battery": null,
        "network": null
    },
    "type": "top",
    "userAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36 Edg/90.0.818.66"
}

After this there are a couple of new URIs that has not been seen previously. These are:

• x.urs.microsoft.com seeming like further statistics.
• smartscreen-prod.microsoft.com sending a JSON via get request, returning binary data. It seems to be a certificate of some kind, but this investigation has not validated it.

In total Edge uses 10 different domains, and send quite a lot of privacy infringing information to Microsoft using their smartscreen function.

Google Chrome

In Chrome the start page is a version of the classic Google search box, and a list of previously visited webpages. As with Edge, Chrome sends requests to a set of domains, but for Chrome it uses 9, 6 of which generates a response.

• accounts.google.com is used to list the accounts signed into the browser. Since the test was performed without signing in, this might contain more information if signed in.
• clientservices.googleapis.com sends information about the chrome version and OS, and gets binary contents in the response.
• www.google.com fetches information to be shown in the new tab.
• update.googleapis.com is used to check if there are updates available for Chrome.
• clients2.googleusercontent.com is used to download updates in a binary format. The URL was given in the response from update.googleapis.com.
• Random strings Three requests are made targeting URLS of randomised 12 character strings. There are no response to these requests. Further research is needed to gain insights into their use.
• ssl.gstatic.com fetches a binary file in regards to safebrowsing. This does (according to Google) allow the browser to block unwanted and malicious pages.

While then entering the URL for navigation, the browser tries to search google. This is once again due to the use of a combined search and address box. Once the navigation is completed however, there are only one more unexpected request. This request was to translate.googleapis.com, fetching what languages are available for translation. It did not however contain information about the webpage visited.

When navigating away by clicking a link Chrome did not send any further requests except the ones required by the webpage. This is a good result, especially when comparing it to Edge and its abysmal privacy concerns.

Mozilla Firefox

When starting Firefox you are greeted by a start page that very much resembles the one of Chrome. It consists of a google search box and previously visited webpages. At this point there are requests sent to 5 different destinations:

• detectportal.firefox.com seems to be used to test the internet uplink, it is sent three times. Each time with different parameters and the same response, Success.
• push.services.mozilla.com initiates a websocket connection, where the browser subscribes to changes from Mozilla through push notifications.
• snippets.cdn.mozilla.net sends information about the current environment for the browser (Windows), and gets an empty response with the HTTP Status code 303 See Other. However the location (on the same host) was never requested by the browser.
• incoming.telemetry.mozilla.org is sent telemetry in binary form. Mozilla describes what is sent at https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/, but further investigations are needed to validate the claims.
• aus5.mozilla.org is used to check for available updates.

When navigating manually to https://example.com Firefox performs searches against Google. However it does also send more binary telemetry. This continues when further navigating by clicking URLs on the webpage. Firefox is a somewhat chatty browser, that sends traffic in-between usage. This includes the binary telemetry that has not been investigated in this report.

Brave

Brave has the unique selling point to be a privacy focused browser. It has an inbuilt adblocker, and on the start page it boasts with how much time has been saved by the browser since it was installed.

During the install process it asks for what search engine to use, but for this test the standard (google) was used. When opening the browser there are a couple of requests, as usual. However there are only 4 that resolves, and the thre randomised ones from chromium.

• laptop-updates.brave.com seems to fetch updates the list of ads that adhere to Braves standards. This could however not be validated.
• variations.brave.com checks if there are any updates for Brave.
• go-updater.brave.com checks for updates for extensions (or extension like components) in Brave.
• componentupdater.brave.com checks for updates in components for brave. -Random strings Three requests are made targeting URLS of randomised 12 character strings. There are no response to these requests. Further research is needed to gain insights into their use.

When navigating the web as described by the methodology no further requests was found. However, after the test was finished another request was found, safebrowsing.brave.com, which seems to have the same function as safebrowsing in Chrome. There is one difference though, it uses a dummy token, limiting some of the data sent to the server.

Summary

In conclusion this quick test showed that there are one browser that are worse than all the others, edge. The behaviour of Microsoft that collects all visited URLs is abysmal! As long as Edge is not used, this limited investigation has shown very limited differences between the browsers.

This investigation should not be seen as a complete deep dive into the browsers, but rather a quick overview. To get the complete picture there are several further steps that are required.

1. Investigating traffic during prolonged use
2. Further investigating unclear traffic
3. Investigating in private browsing
4. Investigate the privacy settings of each browser

Migrating from GitHub pages to Cloudflare pages was as easy as configuring what GitHub repo to use in Cloudflare, picking Jekyll and then it just worked. Right after the page was built you see some basic statistics, such as the amount of request grouped by country. Below the first hours of traffic is shown in a map, as presented by Cloudflare.

In addition to providing basic statistics, using Cloudflare gives a lot of additional benefits. This includes the use of their Content Delivery Network, protection from Denial of Service, and easy HTTPS. I have not dug deep into which is best in these regards, but i find it difficult to believe that I have made a significant downgrade.

So in conclusion to gain some basic statistics of the usage of my blog, I’ve migrated it to Cloudflare. The solution will not track any personal data, only basic statistics to gain some insight in how many readers are using/enjoying my blog.

I’ve been using a simple todo software for quite a while now, to keep track of my tasks. However, I have used the list in an ad hoc manner. Not having a routine in my task management meant that the list always was incomplete. About a month ago I had enough and began figuring out a better way to organise my life. Without having reached the final and optimal organisation routine I wish to share my thoughts so far.

The task list

The first step to start leveraging the positives of todo lists is to figure out where to keep them. For me that choice ended up being in software, but it can just as well be in a paper format. The main thing is that the tasks should be collected at an easily referenced location.

When it comes to software, there are many different solutions to choose from, and depending on your prioritisations different ones might fit your needs. After some considerations I had a set of requirements of what I wished for in my todo software.

1. Cross platform sync: I need my tasks to be synced and accessible on both on my PC and my phone.
2. Reminders: I want to be able to set a reminder to a task, and that reminder should be shown on relevant devices at the specified time.
3. Organisation: It should be easy to organise tasks into projects, priorities, locations and so on. In addition it should be easy to filter based on these organisations.
4. Ease of use. It should be quick and easy to add a task with any organisation and schedule.
5. Templates: I wish to be able to import a task with subtasks for tasks that are similar.

For me these requirements landed me in using Todoist. It allows for projects and tags that I can use for organisation, and the filters allows me to create any tasklist I wish. The main feature however is their quick add, that allows me to add a task with tags, due date, project and more with a single sentence. Not even a single mouseclick needed, just a shortcut and then write.

Organisation

How to organise the tasks is personal. For me I have three projects; Private, Work and Templates. In these I use dividers and tags to easily find what I’m looking for. Example of tags I use is Digital for tasks I can do anywhere as long as I have a PC, or Anytime for tasks without a due date that can be performed whenever.

Based on these projects and tags I’ve created filters that allows me to get an overview of relevant tasks based on my current prerequisites.

Routine

The main thing I’ve come to realise is that the tasklist has to be dynamic and changing. It can and will change in more ways than one. Priorities change, tasks are added and removed, and so does my requirements. Therefore I review my tasks daily (not finished today, what is planned tomorrow) and weekly (this and next week, as well as non scheduled tasks). In addition to reviewing my tasks I’ve scheduled for me to review my workflow with my tasks monthly. My current workflow serves me well for now, but it can and will be improved with time. Both through personal experience and through insights from others.

Conclusion

In my journey to improve my productivity I have come to a routine of working with tasks that fit me. It is based on organisation, ease of adding tasks, and continuos improvement. You should try to learn tips and tricks from others, but how you organise and get things done is up to you. Getting inspiration is great, but you must find what works for you.