Herman's blog

https://herman.bearblog.devHerman's blog2025-10-19T11:36:48.726490+00:00hermanhiddenpython-feedgenHi I'm Herman Martinus. I'm a maker of things, rider of bikes, and hiker of mountains.https://herman.bearblog.dev/being-present/Smartphones and being present2025-10-13T13:29:05.448808+00:00hermanhidden

I read an article yesterday, stating that on average, people spend 4 hours and 37 minutes on their phones per day¹, with South Africans coming in fourth highest in the world at a whopping 5 hours and 11 minutes².

This figure seems really high to me. If we assume people sleep roughly 8 hours per day, that means that one third of their day is spent on their phones. If we also assume people work 8 hours per day (ignoring the fact that they may be using their phones during work hours), that suggests that people spend over half of their free time (and up to 65% of it) glued to their screens.

I never wanted to carry the internet around in my pocket. It's too distracting and pulls me out of the present moment, fracturing my attention. I've tried switching to old-school black and white phones before, but always begrudgingly returned to using a smartphone due to the utility of it. The problem, however, is that it comes with too many attention sinks tucked in alongside the useful tools.

I care about living an intentional and meaningful life, nurturing relationships, having nuanced conversations, and enjoying the world around me. I don't want to spend this limited time I have on earth watching short form video and getting into arguments on Twitter.

This is what I enjoy. Picture taken yesterday in Scarborough, South Africa.

I've written at length about how I manage my digital consumption, from turning off notifications to forgoing social media entirely. The underlying premise here is that if you're trying to lose weight, you shouldn't carry cookies around in your pockets. And my phone is the bag of cookies in this metaphor.

We're wired to seek out distraction, novel information, and entertainment, and avoid boredom at all costs. But boredom is where creativity and self-reflection do their best work. It's why "all the best ideas come when you're in the shower"—we don't usually take our phones with us into the shower (yet).

According to Screen Time on my iPhone, on average I spend 30 minutes per day on it, which I think is reasonable, especially considering the most-used apps are by-and-large utility apps like banking and messages. This isn't because I have more self-control than other people. I don't think I do. It's because I know myself, and have set up my digital life to be a positive force, and not an uninspired time-sink.

There are many apps and systems to incentivise better relationships with our phones, mostly based around time limits. But these are flawed in three ways:

1. I'm an adult, I know how to circumvent these limits, and I will if motivation is low.
2. Time limits don't affect the underlying addiction. You don't quit smoking by only smoking certain hours of the day.
3. The companies that build these apps have tens of thousands of really smart people (and billions of dollars) trying to get me hooked and keep me engaged. The only way to win this game isn't by trying to beat them (I certainly can't), but by not playing.

The only way I've found to have a good relationship with my phone is to make it as uninteresting as possible. The first way is to not have recommendation media (think Instagram, TikTok, and all the rest). I'm pro deleting these accounts completely, because it's really easy to re-download the apps on a whim, or visit them in-browser. However some people have found that having them on a dedicated device works by isolating those activities. Something like a tablet at home that is "the only place you're allowed to use Instagram". I can't comment too much on this route, but it seems reasonable.

My biggest time sink over the past few years has been YouTube. The algorithm knew me too well and would recommend video after engaging, but ultimately useless video. I could easily burn an entire evening watching absolute junk—leaving me feeling like I'd just wasted what could have otherwise been a beautiful sunset or a tasty home-cooked lasagne. However, at the beginning of this year I learnt that you can turn off your YouTube watch history entirely, which means no recommendations. Here's what my YouTube home screen now looks like:

Without the recommendations I very quickly run out of things to watch from the channels I'm subscribed to. It's completely changed my relationship with YouTube since I only watch the videos I actually want to watch, and none of the attention traps. You can turn off your YouTube watch history here, and auto delete your other Google history (like historic searches and navigation) here, which I think is just good practice.

I also used my adblocker, AdGuard on Safari which has a useful "block element" feature, to block the recommended videos on the right of YouTube videos. I use this feature to hide shorts as well, since I have no interest in watching them either, and YouTube intentionally makes them impossible to remove. If you're interested in a similar setup, here are the selectors I use to block those elements:

youtube.com###items > ytd-item-section-renderer.style-scope.ytd-watch-next-secondary-results-renderer:last-child
youtube.com###sections
youtube.com##\[is-shorts\]
youtube.com###secondary

The only media that I do sometimes consume on my phone are my RSS feeds, but it's something I'm completely comfortable with since it's explicitly opt-in by design and low volume.

While I still have the twitch to check my phone when I'm waiting for a coffee, or in-between activities—because my brain's reward system has been trained to do this—I'm now rewarded with nothing. Over time, I find myself checking my phone less and less. Sometimes I notice the urge, and just let it go, instead focusing on the here and now.

I think that while the attention-span-degrading effects of recommendation media are getting most of the headlines, what isn't spoken about as much is the sheer number of hours lost globally to our phones (3.8 million years per day, according to my back-of-the-napkin-math). And while people may argue that this could involve productive work or enjoyable leisure, I suspect that the vast (vast!) majority of that time is short-form entertainment.

My solution may sound overkill to many people, but I can say with absolute certainty that it has turned me into a more present, less distracted, and more optimistic person. I have much more time to spend in nature, with friends, or on my hobbies and projects. I can't imagine trading it in for a tiny screen, ever.

Give it a try.

Happily on the beach for sunset.

Most people who read my blog and know me for the development of Bear Blog are surprised to learn that I have another software project in the art and design space. It's called JustSketchMe and is a 3D modelling tool for artists to conceptualise their artwork before putting pencil to paper.

It's a very niche tool (and requires some serious explanation to some non-illustrators involving a wooden mannequin and me doing some dramatic poses), however when provided as a freemium tool to the global population of artists, it's quite well used.

Similar to Bear, I make it free to everyone, with the development being funded through a "pro" tier. Conversely, since it is a standalone app it has a bit of a weakness, which is what this post is about.

I noticed, back in 2021, that when Googling "justsketchme" the top 3 autocompletes were "justsketchme crack", "justsketchme pro cracked", and "justsketchme apk". On writing this post, I checked that this still holds true, and it's fairly similar 4 years later.

The meaning of this is obvious. A lot of people are trying to pirate JustSketchMe. However, instead of feeling frustrated (okay, I did feel a bit frustrated at first) I had a bright idea to turn this apparent negative into a positive.

I created two pages with the following titles and the appropriate subtitles to get indexed as a pirate-able version of JustSketchMe:

• JustSketchMe Crack Full 2021 22.0.1.73
• JustSketchMe APK Mirror FULL 2.2.2021

These pages rank as the first result on Google for the relevant search terms. Then on the page itself I tongue-in-cheek call out the potential pirate. I then acknowledge that we're in financially trying times and give them a discount code.

And you know what?

That discount code is the most used discount code on JustSketchMe! By far! No YouTube sponsor, nor Black Friday special even comes close.

In some ways this is taking advantage of a good search term. In others it's showing empathy and adding delight, creating a positive incentive to purchase to someone who otherwise wouldn't have.

The discount code is PIRACYKILLS. I'll leave it active for a while. 👮🏻‍♂️

Hi everyone,

Just some updates about upcoming travel and events; responses to the recent post about social media platforms; and some thoughts about the Bear license update.

Travel

I'll be heading to Istanbul next week for Microconf, which is a yearly conference where non-venture track founders get together, explore a new city, and learn from one another. I had meant to go to the one last year in Croatia, but had just gotten back from two months in Vietnam, and the thought of travelling again so soon felt daunting.

I've made two Bear t-shirts for the conference. One light and one dark mode—inspired by the default Bear theme. Let's see if anyone notices!

If you live in Istanbul and want to grab coffee, I'm keen! If you've previously travelled to Istanbul and have recommendations for me, please pop me an email. I have a few days to explore the city.

Slow social media

I received so many great emails from people about my post on slow social media. There are many great projects underway at the moment, and many great projects that unfortunately didn't make it. Some notable standouts to me:

Unfortunately no longer with us:

• Cohost
• Path
• Telepath

Here are some projects that are up-and-running. These aren't necessarily all "social networks", nor necessarily viable at scale, but each of them has an element or two that makes them interesting.

• Haven - Private blogs for friends
• Letterloop - Private group newsletters
• Locket Widget - Share photos to your friend's home screen
• Pixel social - A server-less private social network running on WebXDC
• Micro.one - A fediverse integrated blog by Manton of Micro.blog
• runyourown.social - How to run a small social network site for your friends

There were many other projects in various states of development that I haven't had the time to fully explore yet, but I'll get to them over the next week or so.

Bear licence update

Somehow my post about the change in the Bear source code license exploded on Hacker News, Tildes, Lobsters, and Reddit, and has been read over 120,000 times.

The vast majority of the emails and responses I received were positive, but about 10% of the Hacker News crowd got really mean about it without taking the time to understand the context. I guess I can't expect empathy from 120,000 people.

Regardless, if you're interested in reading about the controversy The Grizzly Gazette covered it quite well.

While I don't feed the trolls on Hacker News (and find comments to be a pretty poor place to have nuanced discussions in general), I'd like to respond to a few of the main critiques here.

1. "You built a community and then exploited it!" (I'm paraphrasing here)

While Bear (the platform) has a community—and a very good one at that; the source-code part of Bear has never been community oriented. Bear doesn't accept code contributions and the code has been written by me personally. I have not engaged in the exploitation of free developer labour, nor used it being open-source as marketing material.

I suspect that these kinds of comments arose from the (justified, but ultimately misguided) assumption that the Bear project had active contributors and a community surrounding the code itself.

2. "Get your license right the first time!" (also paraphrasing)

Yes, I shouldn't have released Bear on an MIT license in the beginning. I didn't even think about licenses when I launched Bear in 2020 and just used the default. I also didn't expect free-ride competition to be an issue in this space. So, this is a justifiable criticism, even if it feels like it was made in bad faith.

3. "Use a GPL instead of a source-available license" (yes, also paraphrasing)

This was a common criticism, but fails to resolve the main reason for this change: people forking and hosting a clone of Bear under a new name, social elements and all. The AGPLv3 license only specifies that they would need to release their version of the code under the same license. This doesn't dissuade free-ride competition, at least not in this context.

Bear's source code was never meant to be used by people to set up competing services to Bear. It was there to ensure that people understand what's going on under the hood, and to make the platform auditable. I specify this in the CONTRIBUTIONS.md that was last updated 2 years ago.

In summary, Bear is a platform, not a piece of self-hostable software. I think these criticisms are justified sans-context. With context, I don't think the same arguments would have been made. But Hacker News is well known for nasty comments based on the title of the post alone.

fin

Aaand we're done! Lots of updates. Please feel free to email me your thoughts, recommendations, or anything else. If you haven't dug through my past posts, here're a few lesser-read posts that I enjoyed writing:

• Observations on 6 years of journaling (I'm at 10 years now, I'll need to write a new post at some point)
• A case for toe socks
• The creative agency of small projects

If you haven't subscribed to my blog, you can do it via the RSS feed or email.

Have a goodie!

People often assume that I hate social media. And they'd be forgiven for believing that, since I am overtly critical of current social media platforms and the effects they have on individuals and society; and deleted all of my social media accounts back in 2019.

However, the underlying concept of social media is something I resonate with: Stay connected with the people you care about.

It's just that the current form of social media is bastardised, and not social at all. Instead of improving relationships and fostering connection, they're advertisement-funded content mills which are explicitly designed and continually refined to keep you engaged, lonely, and unhappy. And once TikTok figured out that short-form video with a recommendation engine is digital crack, all other social media platforms quickly sprang into action to copy their secret sauce.

Meta basically turned Instagram and Facebook from 'connecting with friends' into 'doom-scrolling random content'. Even Pinterest is starting to look like TikTok! They followed user engagement, but not the underlying preferences of their users. I posit that any for-profit social media will eventually degrade into recommendation media over time.

I don't think most people using these platforms understand that they are the product. Instagram isn't built for you. It's built for marketers. It's built for celebrities to capitalise on their audiences. It's built for politicians and their cronies to sway sentiment. It's built to be as addictive as possible, and to capitalise on your insecurity and uncomfortability.

Imagine that, society and politics are on the rocks all so a fitness influencer can sell you their "Abs in 30 days" training program.

These platforms are the quintessential poster child for late-stage capitalism.

Okay, now that we've established what the problems with current platforms are—what would a non-evil social media platform look like?

I'd love to see everyone running a blog, and subscribing to the people they care about via RSS. But unfortunately this doesn't scale since it requires effort to put your thoughts down in writing longer than 255 characters. I have many friends who don't even know I have a blog, or what an RSS reader is.

So while everyone blogging may be the ideal we can aspire to, let's design a hypothetical social media platform that takes the good aspects of current social media, while creating pro-social incentives.

The platform should be about:

• Keeping up with friends, family, and other acquaintances
• Connection (but, you know, real connection)
• Improving relationships
• Thoughtful engagement

The platform should NOT be about:

• Collecting followers
• Self-promotion
• Advertising and marketing
• Short-form video and media entertainment

In my opinion, as soon as there is the ability for commercial interests to take hold, they will. The "follow" mechanism is a key part of that. I propose that instead of followers we should regress back to the "friend" or "connection" system where there is a symmetric relationship where both people have to agree to the connection. There is no good reason to have "followers" on a platform that is trying to improve relationships. "Following" is purely for egotistical or financial gain and breeds parasocial relationships.

I think there should also be a reasonable cap on the number of connections that can be made. Something like 300 friends sounds right. Any more than that and you're a collector, and not using the platform to foster connection.

This feature alone already removes 90% of the marketing interests in the platform. Do you want to make a connection, but are maxed out? You'll need to unfriend someone first.

The second necessary element would be a chronological feed with posts from your connections. This turns the platform from an engagement engine into a way to keep up with what everyone else is doing, but importantly, gives you a natural "end" to the feed when you start seeing posts you've already viewed. This way when you start scrolling there's an explicit stopping point.

Relatedly, pagination is more humane than infinite-scroll since it gives users a natural breathing point where they can decide whether they want to keep going. Infinite-scroll is such an obvious user-trap, and I view any website doing it as not having its user's best interests at heart.

And finally, there should be a reasonable cap on the number of times a user can post per day. Roughly 5 times per day feels like the upper threshold of what you can post while being intentional about what it is you're posting. This will keep the feed reasonably populated without one or two people completely overwhelming it.

The rest of the platform can be optimised to be as easy-to-use as possible. Something like a mixture between the old Instagram and Twitter, with comments and reactions. No reels or any other recommendation system to keep people engaged to death. And no analytics, since that would be optimising for reach and engagement instead of the stated goal of connection.

Do I expect a platform like this to succeed? Not by the traditional metrics of success. In the real world it would exist alongside the content mills, which are exciting by design and competing for attention. Could it work in niche groups, or amongst intentional people who are sick of the current platforms? Maybe.

Naturally, a project like this would have to be funded somehow, and unfortunately very few people are willing to pay $5 per month for software services, even if they use it every day. However, I suspect that a social media platform like this would be manageable enough that a small team could run it fairly cheaply and profitably if they're creative. Perhaps with nothing but donations.

Who will create this egalitarian social media? Not me, that's for sure. I already have my fair share of work moderating the Bear discovery feed, to the extent I've had to bring on a second moderator (hello Sheena!) to keep it clean of spam and other nasty things that free services on the internet attract.

That being said, I would love to see something like this. I'd love to be able to stay connected with friends and family abroad without having my attention sold to the highest bidder.

If anyone is working on something like this, I'd be happy to consult.

If you're not aware yet, in 2022 Alphabet paid Apple $20 billion for Google to be the default search engine on Apple devices, according to unsealed court documents in the Justice Department’s antitrust lawsuit against Google. This is because defaults matter. The vast majority of people use the default search engine/browser/maps/setup that a devices comes standard with. They also just live with the default notification settings, which I've written about before in an essay on digital hygiene.

Say what you will about Apple, but they do care about user experience more than the other big tech companies. This is mostly because the value-exchange with Apple is clear: You give them money, and in return they give you good hardware and software, and a commitment to privacy.

With Google this relationship is more nebulous. Google gives you a free search engine, free email, free document editing and storage, a free browser, free maps, and a bunch of other useful services; but the money comes from...elsewhere. It comes from influencing your buying decisions, and selling your data and attention to marketers; along with a whole host of privacy and security infringements along the way.

I understand why Google paid Apple all that money. Not only does it send lots of high value traffic to Google, but it also disincentivises Apple from creating their own search engine and competing with Google in this space.

Yet Apple is also the company that runs ads like this:

By accepting Alphabet's money, Apple essentially sold their user-base to Google. They paid lip-service to privacy until commercial interests dictated otherwise. If Google was the default search engine without money changing hands, Apple could argue that they just selected the best or most-popular search engine. But because that spot was bought and paid for, it's a big black mark on their commitment to privacy.

Complaining about corporate interests chasing profit aside, here's my hot take: If Apple really cared about privacy, not only should they choose a different search engine, they should block ads and trackers in Safari by default.

There are other browsers that do this; and it's fairly trivial to set up an ad-blocker in Safari yourself. But so few people do. Every now and then I find myself on one of those content-y websites without an ad-blocker, and it feels like I've entered a casino on crack—with animated banners, sliders, and flashing ads interspersing the content.

Seizure-inducing websites aside, advertising-driven tracking is a privacy nightmare, as is the personal-data-economy that underpins it all.

Here's the thing: Apple could do this tomorrow. They could easily make Safari block ads by default. And yet they don't, despite it not being in their user's best interests. This would cripple Google, true; but it's asymmetric. As far as I can tell, Apple doesn't rely on Google for anything. Yet there's nothing illegal about Apple blocking ads and trackers by default. Hell, I'm surprised the EU hasn't mandated it yet.

And Google isn't even paying them $20 billion a year to prevent this!

So if there're any higher-ups at Apple who read my blog, hello!

I'm not suggesting Apple go full nuclear right away, but this should at the very least be part of the conversation around what respecting users and their privacy means.

And if Apple does pull this off, I'll finally believe the billboards.

When I started building Bear I made the code available under an MIT license. I didn't give it much thought at the time, but knew that I wanted the code to be available for people to learn from, and to make it easily auditable so users could validate claims I have made about the privacy and security of the platform.

Unfortunately over the years there have been cases of people forking the project in the attempt to set up a competing service. And it hurts. It hurts to see something you've worked so hard on for so long get copied and distributed with only a few hours of modification. It hurts to have poured so much love into a piece of software to see it turned against you and threaten your livelihood. It hurts to believe in open-source and then be bitten by it.

After the last instance of this I have come to the difficult decision to change Bear's license from MIT to a version of copyleft based on the Elastic License.

This new license is almost identical to the MIT license but with the stipulation that the software cannot be provided as a hosted or managed service. Everything else is still permitted. You can view the specific wording here.

After spending time researching how other projects are handling this, I realise I'm not alone. Many other open-source projects have updated their licenses to prevent "free-ride competition" in the past few years.¹²³⁴⁵⁶

We're entering a new age of AI powered coding, where creating a competing product only involves typing "Create a fork of this repo and change its name to something cool and deploy it on an EC2 instance".

While Bear's code is good, what makes the platform special is the people who use it, and the commitment to longevity.

I will ensure the platform is taken care of, even if it means backtracking on what people can do with the code itself.

I workout 4 days a week and I love it. It's the foundation of my morning routine, following spending 45 minutes drinking coffee on the couch and watching the sun come up with Emma.

I've been doing this for a few years now and while I struggled (as everyone does) in the beginning, I can't imagine not exercising in the morning now. On the rare occasion that I do skip a workout, I feel it missing throughout the day as a lack of vitality and less mental clarity.

Let's perform a thought experiment to work out the return on investment of exercise. For this let's first assume that exercise does nothing else but expand your lifespan (not extend; since it's not just adding frail years to the end but instead injects extra years in each stage of life). We can ignore the effects it has on strength, focus, feelings of accomplishment, and mental health for now.

It's well understood that a good exercise routine is a mixture of strength, mobility, and cardio; and is performed at a decent intensity for 2-4 days a week for at least 45 minutes. This could be a combination of weight lifting, yoga, running, tennis, hiking, or whatever floats your boat.

This totals about 3 hours a week, or 156 hours per year. If we extrapolate that over an adult lifetime, that's about 8,500 hours of exercise, or about a year of solid physical activity.

That sounds like a lot! But when put into the context of life expansion, it's actually an incredibly good deal. There are many studies detailing how any physical activity, from an easy walk all the way up to vigorous exercise a few times a week increases expected lifespan by 3 to 10 years. And none of these studies used lifetime exercisers, just people who exercised regularly in the last 10-ish years.

This makes sense, since 80 years ago we were still fighting the second world war, and jogging only entered the mainstream in the 70s. Weightlifting was an even later bloomer, and only becoming cool in the 90s!

I speculate that a lifetime exerciser with a modern approach to physical activity would have an even longer health and lifespan than any of these studies suggest. But for this writeup I want to stick with conservative estimates and not speculate too much.

We know from one study that people who played tennis a few times per week lived roughly 10 years longer than average. So we'll use that value going forward.

That means that over a lifetime, one full year of exercise leads to 10 full years of extra life. That's a 1:10 return on investment! So even without any of the additional benefits (which I'll get into later), this is still one of the best investments you can make.

Yes, this is an oversimplification. Correlation between exercise and longevity doesn’t imply causation. Confounding factors like diet, socioeconomic status, and healthcare access influence lifespan. Attributing 10 years solely to exercise ignores these; but it does play a significant factor, as many well-controlled studies will attest to.

This is also based on the premise that all of the time spent exercising is "wasted", which is hardly the case. People love running, playing padel with friends, lifting heavy things, and hiking. I love being in the gym, working towards mini-goals, making progress, and interacting with the community around me. This is not time wasted. I'll posit for many people it's the best part of their day. Not only that but it leaves you feeling accomplished, wholesome, and less depressed and anxious.

To end off I'll rattle off a few other things exercise is good for:

• Better sleep
• Less frailty in old age
• More strength
• Able to take part in more fun activities (like long hikes)
• Being more attractive (subjectively, of course)
• Improved self perception
• Better cognitive function and memory
• Access to communities
• Less pain
• More mobility
• A stronger immune system

And this is injected into every single part of your life and available in every decade. Not just at the end.

And this is inherently doable. This is the time equivalent of one episode of any Netflix show, 4 times a week. I watched 3 episodes of Pantheon on Monday alone!

So go do the thing. Incrementally at first. Start off slow and build up a practice that feels right. You won't regret it.

This is part 3 of a 3 part series on digital hygiene. I suggest starting at part 1.

Whenever I watch heist movies, I always roll my eyes at the "hacker" character. They can consistently hack building's camera system; or download the contents of a target's phone for use later in the heist. They also manage to hack the bank, which questions the need for a heist in the first place.

While there are real-world programatic attack vectors that can be exploited, they're generally opportunistic. When a new vulnerability has been discovered, nefarious actors try to exploit it at scale before it’s patched. The chances of finding and executing a "hack" on the spot (via bluetooth or something equally ridiculous) is highly unlikely.

Although, I digress. The most common vulnerability is significantly more boring. It's compromised passwords. These can be stolen through social engineering, like phishing, that exposes account details; but it's also likely exposed through a data leak, where a service hasn't stored passwords securely, and thousands of email+password pairs are stolen. These authentication details are then systematically tested on a bunch of other services in the hopes that some people have re-used their passwords, and thereby gain control over those accounts.

And that brings me to the topic of today's post: Password hygiene.

Leaked or stolen passwords are by far the most effective way to hack an account. And so it is imperative that everyone who uses the internet, which accounts for 93% of people in the developed world, to spend some time ensuring that their accounts and login information are secure.

On Bear Blog, the blogging platform I run, it is interesting to see the frequency with which the Forgot Password flow is used¹. This is a pretty good indication of the number of people who do not store their passwords properly, since it should never be the case that you've forgotten your password. You should never have to remember your passwords in the first place.

I wonder how many work hours are lost globally due to people following the forgot password flow.

I have hundreds of accounts online, everything from my bank, to a free tool for converting ebooks. If I don't reuse any passwords (which I don't, see above) I'll have hundreds of email+password pairs. I certainly can't remember hundreds of different passwords and match them to the relevant services; and outside of a small subset of people, neither can anyone else.

Before I saw the light and started using a password manager, I used to use a password cipher of my own design. I'd take a string of letters, symbols, and numbers, say !xlk-bd15j-hjk, then replace a certain character with the first letter of the service I was accessing. So for example, if I was trying to access Amazon and the character I'd replace was the 6th one, the password for that service would be !xlk-ad15j-hjk.

This setup isn't very secure (but it is still better than using the same password everywhere). It works until it doesn't. The first issue I ran into with this is that some services had extra password requirements like needing at least one capital letter or a number. The second issue is that this leads to password re-use for all services with the same starting character in their name. And finally, some services do require that you change your password regularly (more on that later), so I'd have to remember which accounts had updated passwords, generally by adding a 1 at the end of it.

It is possible to get extra creative with this, and I did for a while, running a bash script to generate passwords on the fly by taking in the name of the service and hashing it. A storage-less password manager, if you will. But this turned out to be pretty inconvenient, especially since this is a solved problem.

Enter the password manager.

Keeping passwords and 2FA recovery codes safe is easy, you just need to decide on a tool, and stick with it.

There are lots of great password managers out there like Dashlane, 1Password, or Bitwarden. I'm quite partial to Apple's built-in password manager because it syncs between my devices and integrates seamlessly with Apple's biometric authentication, making every login a simple fingerprint scan.

Once you've chosen a password manager, you set a master password. This is the most important password so it is never to be forgotten or written down². I find using a passphrase is both higher entropy, and easier to remember than a password. Here's a classic XKCD comic explaining password entropy.

Now, every time you log into a service or use the forgot password flow, ensure that you put the password into your password manager, or generate a brand new password using the password manager's built-in generator. You'll only need to do this once per service, and from then on you can use the password manager to login to that service. Another reason I like Apple's password ecosystem is that a lot of this is done by default, without having to manually copy and paste passwords. Password managers do have browser extensions and mobile apps to make this easier across devices. Use them.

Your password manager will also generally alert you of password re-use. If the password has been used multiple times, I'd recommend going and updating all of the accounts. The best way to think about this is that at some point the password will be leaked. Which accounts are you comfortable having compromised? Naturally something like banking or email needs to be updated as a priority, but if it's for a background removal tool...actually, still update it. Why not?

Let's talk about 2-factor authentication (2FA), also known as multi-factor authentication (MFA). While there is a slight difference between 2FA and MFA (hint: it's the number of factors), I'll be using them interchangeably here.

MFA is a security measure to prevent access to an account where the login details have been compromised. Generally if you have good password hygiene and are vigilant about phishing attacks, this is unlikely. However, for high priority accounts it is a necessary security step.

SMS 2FA tends to get a lot of hate, justifiably, due to sim-swap attacks. However, the reason many retail services (like banks) still use SMS instead of TOTP authentication is due to retail customers not having good recovery code storage and backup. If you use Google Authenticator or a similar tool, and do not back up your codes, losing your device is an effective way to lock yourself out of your account. Banks rely on the assumption that you'll reclaim your mobile number, whereas the same cannot be said about lost TOTP recovery codes.

That all being said, if you have the option to use a TOTP authentication code instead of SMS or email 2FA, I highly recommend you do that. You'll just need to ensure you've backed up your recovery codes.

I'm going to say something quite controversial here: I think it's okay to back up your recovery codes in your password manager.

While it does mean that if your password manager is compromised, then all of your accounts (including the ones protected by MFA) are exposed, MFA is generally there to protect against compromised login details and not against a compromised password manager. If your password manager is hacked...I'm sorry. You're going to have a tough time.

At the end of the day, the best tools are the tools you use. I like how Apple's 2FA codes also populate with biometric authentication, removing the need for me to go and find my phone (which I generally leave in another room while I'm working).

Some side notes:

• Changing passwords regularly, especially as a requirement, leads to worse and not better security. Mostly because users don't use password managers correctly, and end up defaulting to a rotation of memorised passwords. The act of changing a password is also a well known phishing attack vector.
• Ensure you take a regular (encrypted!) backups of your passwords to store offsite, just in case you lose access to your password manager, however unlikely.
• Hardware authentication devices are neat, but most people don't work on systems important enough to warrant that level of security. There will always be a trade-off between usability and security, and more security isn't always better. I once misplaced a Yubikey and all of the accounts I used it on had TOTP authentication as a redundancy, so I guess it didn't add much extra security?
• Developers, please stop logging people out of their accounts! There is very little to gain from having short sessions. It's annoying and leads to users forgetting and needing to recover their passwords more often.

As frustrating as it is, it's up to us developers to account for human folly and bad password hygiene. I'd love to create a webservice that only has a username and password with no need for an email address. But I know that I'll receive regular emails asking about account recovery due to a lost or forgotten password.

tldr; Get a password manager, and use it exclusively. Don't try to remember passwords. It's easier and more secure this way. Having good password hygiene makes you significantly less likely to wake up one day with your bank account drained.

As the old joke goes: If you're running away from a bear, you don't need to be faster than a bear, just faster than everyone else.

This is part 2 of a 3 part series on digital hygiene. I suggest starting at part 1.

Over the past few years I've cultivated a decent relationship with my phone. Not a good one, mind you, but one I'm fairly comfortable with. There is a part of me that yearns for a return to simple, black-and-white phones, with Internet access limited to whichever room in the house had the phone line and computer. But there's no going back; and so I had to find a way to live with the Internet (and the hyper-connectivity it entails) in my pocket.

Developing a good relationship to your phone is an intentional process. It doesn't happen by accident. All apps and media, by design, are fighting for your attention. I've heard the term "attention economy" thrown around, and I feel like it's an apt description of the battle for our increasingly fractured attentions.

And the easiest way to grab your attention is via notifications.

Sometimes I see a person's phone covered in notifications and I get anxiety-by-proxy. Red badges in the triple-digits; the notification bar an endless list of banners, messages, friend requests, and marketing content. I can't imagine this is a pleasant experience, but it seems to be the norm.

In my opinion, notifications need to be reeled in as a priority. At the end of the day my phone is a tool. I want to choose how to use it. I don't want it to "keep me engaged" or sell me things. I want to own my own time, and have full control of my attention.

A more utilitarian reason to get notifications under control is that when all notifications are active, none of them are. When I use the Reminders app on my iPhone I actually want to be reminded of something, instead of that notification being buried beneath unimportant stuff.

Here's the method I used for breaking free of notification hell (you'll notice a lot of overlap with my previous post on emails):

1. Remove social media apps (or completely mute them at the very least)

I don't have traditional social media (think Instagram, Facebook, Twitter, or LinkedIn). I've written about it before. But in a nutshell, these apps consume my time and energy without giving me much value in return. Instead I try to nurture in-person relationships, or use longer-form digital communication, like calls or email.

Regardless of my personal preferences around having social media, it goes without saying that those apps should, at the very least, be muted. No banners, no badges, no sounds. It should be up to you when to engage with these platforms; because if left up to them you would never log off. Another way to manage this is to put social media apps on a separate device, like an iPad left at home, which takes this pernicious time-suck out of your pocket.

If you're trying to smoke less, don't carry a box of cigarettes around with you.

2. Opt-in instead of opt-out notifications

A simple but effective way of cleaning up phone notifications is to go and turn them all off, then selectively turn on the ones you actually need. The idea is that all notifications should be opt-in, instead of opt-out. Notifications should also be set to the least-intrusive method, depending on the application. For example, here are my only notifications on my phone:

• Messaging apps (Telegram, WhatsApp, Messages)
  • ✅ Badges
  • ❌ Banners
  • ❌ Sounds
• Phone calls
  • ❌ Badges
  • ✅ Banners
  • ✅ Sounds
• Calendar and reminders
  • ✅ Badges
  • ✅ Banners
  • ✅ Sounds
• Uptime monitor
  • ❌ Badges
  • ✅ Banners
  • ✅ Sounds
• RSS reader
  • ✅ Badges
  • ❌ Banners
  • ❌ Sounds

Everything else is left turned off, since most things aren't time sensitive. I used to have Uber's notifications turned on, since I didn't want to miss my ride, but found that Uber doesn't respect marketing opt-out and would send me "special offers" that were impossible to turn off. Now I just make sure I don't forget that I've ordered an Uber.

With group-chats on messaging apps (which can become overwhelming), I mute all of the ones that have a lot of noise and archive them; checking them every now and then.

3. Managing sounds

Sounds and vibrations are the worst kinds of notifications since they grab your attention even when not using your device. Because of this you'll notice that only calls, calendar and reminders, and uptime monitors have sounds enabled, since these are the time sensitive ones. But even then I still have sleep mode active after 7pm, so only my uptime monitor and repeat phone calls get through.

4. Report telemarketers and robo-calls

In South Africa we have a public National Opt-Out Register (you may have something like this in your jurisdiction). This can be used by companies to determine if you're open to direct marketing communications. When I receive a marketing call from a company, if it's a human I politely ask them to remove my number from their marketing list. If I receive another call from that company (or any robo-call) I report them to the Information Regulator of South Africa for processing my personal importation without my consent, as well as not respecting the National Opt-Out Register. I then leave a public review for that company stating that they've broken the law by contacting me.

I'm very careful to never opt-in to any marketing communications, so I can say with certainty that any direct marketing I receive is definitively against privacy legislation where I live.

This has proven to be very effective. I have not received a single robo-call or direct marketing call in the past few months. It may seem like a lot of work up front, but it pays dividends since I never get pulled out of whatever I'm doing just to answer a call from a company I don't care about. It's also punishment for them trying to advertise to me in the privacy of my own home. That feels like crossing a boundary.

All of this applies to the computer as well. I don't allow any banners to pop-up on my computer, which easily pull me out of work. Slack only shows a red small badges (sans the number) to let me know there's an unread message, and even then the sidebar on my Mac is hidden by default. Your mileage may vary, depending on the work you do, but protecting deep work is important. At least to me.

So why all of this effort? I try to live an intentional and present life. I want to be here right now. Technology isn't going to regress back to the 90s and so we need to cultivate good relationships with our devices, so we can cultivate a good relationship with ourselves and the people around us.

Take back your attention.

This is part 1 of a 3 (or 4, I haven't decided yet) part series on digital hygiene.

Email is, arguably, the backbone of the modern internet. Not only is it a means of communication, but is the de-facto identity for operating online. In this way, email isn't just how I communicate, but who I am online. Yes, some services still operate with usernames and passwords; but the vast majority of services use email as user identity. This arguably makes email the most important online account. Everything else relies on email.

Email is also where I do most of my work. From technical support, to replying to friendly emails, to receiving invoices; it is the workspace through which my occupation operates. And for all of these reasons, my email is well organised and easy to use.

People regularly comment on how quickly and personally I respond to their emails, and it's because they're generally only one of a few emails in my inbox. This isn't because I just naturally don't receive emails (I run two B2C web-services!). Instead it is because I am very active in maintaining a clean workspace. In the same way a carpenter keeps his tools neat and tidy; or a barista cleans his equipment and the counter after every coffee brewed; I put away my emails and wipe down my inbox after every use.

What's fairly interesting, though, is that people assume this is difficult. But it's not. Once I started keeping a clean inbox I actually had significantly less work, since every email I received actually warranted attention. The important ones weren't buried beneath a heap of newsletters, spam, receipts, and all the other cruft that can clog up the workspace.

Here's how I do it:

To kick things off, I have 2 email addresses. The first one is the one that I use as my identity. This is a gmail address that I've had since high school, and I use it to sign up to online services, fill in forms, and all the other things that require an online identity. I don't bother with email aliases since it just makes my identity harder to control. I respect people who do this to track data-leaks, but I couldn't be bothered.

The second email address is my conversational address. This is where people can contact me, whether it be for support or to just say hi. I don't have any web-services or online identities associated with this email address, and so every email I receive here is from a person.

My email is also not a place for adverts and marketing (we'll get to this later), or a place where I read newsletters. This is a place for work and communication. For newsletters I use an RSS reader (Reeder is my choice of client). If a website or newsletter doesn't support RSS (which is very rare) and I really want to receive updates I use Kill the Newsletter, which creates an RSS feed of received emails. This could also be another email account specifically for newsletters, if RSS isn't to your liking

This is one of the most important parts of my email strategy. My inbox isn't a place for leisurely reading. When I open my email it's with purpose. If I want to catch up on my newsletters and blogs I follow, I can flop down on the couch, open my RSS reader, and enjoy them when I'm not also trying to work.

Since my first email address is used for signing up to websites, apps, and all the rest; it inevitably receives marketing emails (even though I religiously never check that checkbox). Whenever I receive a marketing newsletter I always hit unsubscribe. I'm not interested. If I receive another email from that company I report their email as spam. This is a non-negotiable. Companies that disregard unsubscribes should be penalised, and the only way to do this is to make their email deliverability metrics slightly worse. Maybe they'll learn. Probably not.

When a new email enters my inbox I explicitly act on it. Every single email is attended to like this:

1. If it warrants a reply, reply to it or act on the information.
2. If it requires action or mulling over I either create an item on my todo list, or snooze the email for later.
3. If it is a marketing email or a newsletter I unsubscribe, or mark as spam and block if they persist.
4. If it is a receipt for a subscription, or any other recurring email that I can't block, I set up a filter to auto-archive those emails where I can find them if needed.
5. Finally archive it. I archive all of my emails once they're completed, so the inbox only has unread and unattended emails. You can start this by simply selecting all of your emails and archiving them immediately, then follow the above steps going forward.

And I just keep doing that. I found that over time, once the cruft has been unsubscribed, filtered, or moved elsewhere; the only emails that hit my inbox are important ones that require my attention. Additionally, I only receive between 5 and 15 emails a day, and they aren't buried and require significantly less cognitive load to address.

Naturally everyone's workflow will look different based on the work that they do and personal preference. However I think it is universal to say being active about email creates a better experience for you and the people and services you interact with. This is just how I like to do it.

It's also possible to control what kinds of emails you receive. If you take a look at my contact page, you'll notice that it's intentionally formatted, and tweaked regularly. I have a big picture of my face to remind people that they're interacting with a human being (this is particularly useful for support requests). It then provides easy links to the most frequently requested resources. I specify my working hours, establishing that people will need to be patient when waiting for a response from me, especially over weekends (this is also particularly useful for support requests). And then finally my email is at the bottom in non-copy-and-paste (and maybe anti-bot) format.

I encourage people to randomly email me. Especially if it's to discuss a post of mine, invite me for a coffee, or just open a line of communication. The page is set up to point people in the right direction when looking for information, help them quickly resolve their queries, and to remind them that I'm not a nameless customer support agent.

I am quite privileged to decide what emails are important, since I work for myself. However, even if you receive a lot of email that can't be filtered out, having a system around what you can archive or unsubscribe from will inevitably make life easier.

Email is a great tool when used well. It is a place of slow(er) communication, and for some a place for connection. In many ways it is an extension of oneself. I like to keep it tidy.