This is a copy of our internal policy. We share it to help customers get a better understanding how how we work. The policy will get updated or improved from time to time. You’re welcome to give us feedback by sending a mail to security@small-improvements.com.

Security is paramount at SI, and using the right passwords is one core ingredient. Please follow the following guides and requirements carefully:

• It’s crucial that every employee uses one-time passwords for every business service they use on behalf of SI. Never use a password directly that you can remember, or (worse) that you’ve been using at another system. Instead, use a password manager such as 1Password (or the Apple Keychain) that will generate passwords, and store them for you. Choose a strong master password for 1Password and remember that one (and make sure you never use it anywhere else either)
• When setting passwords, choose at least 14 random characters, and unless the service prohibits this do include digits and special characters too
• Since we use one time passwords, we don’t have to cycle passwords. If one service we use was compromised, change that password, but there’s no need to change anything else.
• Multi-Factor authentication should be used whenever possible. It must be used on all systems that enable access to confidential data (like customer data), and it must also be used systems where your access level could be exploited to cause harm (if you have edit rights to the website for instance : the website has no customer data, but installing malware on the website would of course be desastrous still)
• Do not share personal passwords! The only possibly exception is if we use a service that simply doesn’t allow multi-user access, like Instagram for instance. In that case, create a secure “vault” in 1Password and share the password only with the people who absolutely need access. Change the password once a person doesn’t require access anymore (or is leaving the company)
• Change initial passwords immediately: In some cases we will set up a new account on behalf of staff and we have to assign an initial password. Most systems require the new employee to change the password immediately. In case the system does not mandate this, it’s on the employee to set a new secure password.
• If in doubt, change your password! If a service you use has been compromised, or may have been compromised, immediately change your password.

If you have questions about this policy, don’t hesitate to ask your manager, or even the CEO.

Please also see our privacy policy.