Most web-services horde up your data permanently and sometimes share or even sell it to third parties and governments. Taskenizer is different. In addition to on-the-wire authentication and encryption like most web applications uses, it also has a data-at-rest protection system to ensure that your data is available only to you.

On the wire security

Taskenizer uses the same type of on-the-wire protection that most websites use; TLS encryption with a certificate for authentication. This serves two purposes: 1 it stops people from eavesdropping on your communications and 2. it guarantees that you are really connected to the address you see in the address bar. This scheme is effective, which is why most websites use it. Most web-browsers will display an indicator of this encryption in some way e.g. a padlock image in the address bar. Taskenizer is not accessible without TLS so if you don't see this then it means you are connected to a spoof website.

Note that this security can be defeated if you are using a web-browser that has been tampered with to accept invalid security certificates. This may be the case in some workplaces or public computers, where the administrators deploy MITM attacks on users.

Passphrase security

Taskenizer's password prompt is rate limited, and password failures are logged so that the system administrators can take action against robots attacking the password prompt.

The Taskenizer server does not store your passphrase, rather it stores a cryptographic hash of your passphrase. Since cryptographic hash functions are infeasible to reverse this means that someone who breaks into Taskenizer's server and gains access to Taskenizer's database cannot find out your passphrase, as long as it's long-enough and random-enough. This is especially important because some people use the same passphrase for everything. The hash is implemented with PBKDF2 with SHA256 and a 256 bit long salt.

Data at rest protection

When you log in your passphrase is run through a password-key-derivation-function with a salt stored in the database (a different salt than is used for hashing the passphrase). This produces an encryption key, which is then stored in a cookie on your browser. Obviously the cookie is protected by TLS on the way to your computer. Now, whenever you load a page or take an action on Taskenizer, the cookie containing the key is sent with the request. This is used to decrypt category keys which are stored for each task category in the Taskenizer database, which are in turn used to encrypt and decrypt the textual content of your tasks when they are written or read respectively. The cipher used is AES. Taskenizer never stores your encryption key, it is only ever stored in your browser.

If you choose to share a category with another user, this is done by encrypting the category key a second time, using their key. So now two encrypted copies of the category key are stored on the server. So categories can be shared with another user without compromising security. A diagram of the whole scheme is available here.

This scheme means that, if someone gains access to the database (whether by cracking into the server over the network or physically breaking into the data-centre in which the server is stored and stealing the hard-drive), they cannot access the textual content of your tasks, unless they can guess your passphrase.


It's important to understand that Taskenizer's security does have limited scope. If someone cracked into the server without being detected and gained sufficient privileges, they could modify the software of Taskenizer to make it behave in any way they wanted, including ways that would disable the above security schemes and compromise the security of the user's passphrases or tasks. Note however that this should be difficult on a competently configured and maintained server (security updates promptly installed, logs monitored, services running under seperate, unprivileged user-accounts and a good intrusion-detection system).

Only the textual content of your tasks is encrypted, not metadata such as whether it's deferred or highlighted etc. So for example if you have a habit to check your smoke alarm works every month, someone who somehow gained access to our database would know that you have a habit to do something once a month, when it's due to be done next and whether it's highlighted or not, but they wouldn't be able to see what the habit actually was. Also, category names are not encrypted.

The user

If you want your Taskenizer account to be secure you must use a strong passphrase. If you aren't storing anything security-critical in your account I'd recommend either 8 random characters or 3 random words (>300 trillion combinations). If you want to take full advantage of Taskenizer's data-at-rest protection I'd recommend either 14 random characters or 5 random words (>20 trillion-trillion combinations). Note that for the above calculations I assumed "characters" to be picked at random from the entire lower-case and upper-case English alphabet, digits 0..9 and at least 3 symbols. I assumed "words" to be picked at random from all 170,000 words in the English language.

Please do not use the same passphrase for Taskenizer as you use for something else important, else if it gets found out the attacker has access to both.

Please do not forget your passphrase, as, if you do, your data is permanently lost, for reasons that will be clear after reading the `Data at rest protection' section. If you have a bad memory either store it in a password manager, or write it on paper and put it in your safe.

Every time you log in to Taskenizer you should check that the address is correct and make sure your connection is encrypted. This is usually indicated with a padlock in your address bar. If the connection is not encrypted then you are connected to a spoof website and must not continue.

Make sure that the device you are using to access Taskenizer is secure and trusted. If you are using a browser that has been tampered with to accept invalid security certificates, or has a key-logger installed, then all of Taskenizer's security becomes irrelevant.