Author Topic: OPSEC: Layered Digital Security and passwords  (Read 13917 times)

Offline idelphic

  • I Zgjuari I Dynjasë
  • Dedicated Contributor
  • ******
  • Posts: 1903
  • Karma: 44
  • Theoretical Conceptualist - Avatar by Ada
OPSEC: Layered Digital Security and passwords
« on: January 13, 2011, 08:13:08 AM »
I'm curious to see the responses-

I've worked with or on computers for quite a number of years,..first experience was with a mainframe with a line printer for a 'terminal.'  Makes me a fossil I know.

While having spent this much time on and with them, I struggle from time to time with remember passwords,  I've used different password for different sites only to forget them, then put them in Excel.

Excel isn't secure, even with (yet another) password, so some time ago I found KEYPASS, and password vault program that will run on WIN and Linux.

Then some documents came up that I wanted to protect, so i found TRUECRYPT.  Which is all great at such, now I have several passwords to try to remember.

But how involved does one get.  And how does one remember what password is used for what file, etc.

One thought I have had is similar to the file structure of WIN. You have the root, and then sub folders, then files. While one can create over kill in the number of encrypted files or folders, and complexity,..

Just Curious what others might be doing,.. and really how do you keep track of all the password??

nkawtg

  • Guest
Re: OPSEC: Layered Digital Security and passwords
« Reply #1 on: January 13, 2011, 08:47:21 AM »
What I do for passwords is simple and helps me remember. I have a root word that I preface and suffix with a number, a symbol.
The root word must have an upper case letter.
The root word cannot be a family name, pet name.
The root word must be a minimum of six letters.
No birth dates, no anniverseries.
Every 90 days I change the root word.
It's not perfect but it works for me.

For my PC I use Bitlocker.

Offline Servelan

  • Prepper
  • **
  • Posts: 31
  • Karma: 0
Re: OPSEC: Layered Digital Security and passwords
« Reply #2 on: January 13, 2011, 07:05:44 PM »
You tell me your password, and I'll tell you mine.

Offline Jim3

  • Prepper
  • **
  • Posts: 63
  • Karma: 4
    • Where's Jimbo
Re: OPSEC: Layered Digital Security and passwords
« Reply #3 on: January 14, 2011, 04:07:35 PM »
I use a algorithm password.  All My passwords are basically the same except for one part of it. Say for The Survival Podcast my password might be 1234SUxx7890.  My password for Save our Skills would be 1234SAxx7890.  Something I havent thought of is having another variable in there for different types of passwords.  Maybe for a website it could be 1234SUws7890. For a file named Preps.doc it could be 1234PRfi7890. Maybe you should use a symbol in stead to make it more secure (1234SU%7890 -where all website passwords have the % sign)  Obviously you want to make up your own algorithm.  I cant tell you how many times this has helped me login to websites I have been to in a while and been able to remember my password because of this. 

Offline idelphic

  • I Zgjuari I Dynjasë
  • Dedicated Contributor
  • ******
  • Posts: 1903
  • Karma: 44
  • Theoretical Conceptualist - Avatar by Ada
Re: OPSEC: Layered Digital Security and passwords
« Reply #4 on: January 14, 2011, 05:26:06 PM »
Look at Password Card - www.passwordcard.org.  It's pretty interesting concept on password creation, I have two codes, but don't use them since I can't remember them..

Could through people off for some OPSEC.

Offline boboroshi

  • Survivor
  • ***
  • Posts: 104
  • Karma: 7
    • Sfumato Farm
Re: OPSEC: Layered Digital Security and passwords
« Reply #5 on: January 14, 2011, 05:38:11 PM »
I use 1Password - mac/windows program and I have it generate random and crazy passwords. As long as the given system will let me. I have a long phrase that i can remember with spaces stripped out for a PGP key and to authorize one password. years ago i used a monty python line (i don't use this anymore);

ifwetookthebonesoutitwouldn'tbecrunchynowwouldit?

I get two symbols and that would be quite difficult for a password crack file to handle. Make them capital letters at random or switch a few e's to 3s and it gets better.

I also recommend trying apple's "memorable" password generator in their keychain access application. It makes complex passwords that are easier to remember but give you a decent level of security.

Offline JGreene

  • Survivalist Mentor
  • *****
  • Posts: 663
  • Karma: 13
Re: OPSEC: Layered Digital Security and passwords
« Reply #6 on: January 14, 2011, 05:55:08 PM »
I like to use long phrases.  The words themselves aren't so bad, its remembering which one you used in case X, y or fZ.

Offline JohnAdams

  • Prepper
  • **
  • Posts: 64
  • Karma: 4
Re: OPSEC: Layered Digital Security and passwords
« Reply #7 on: January 17, 2011, 06:05:07 PM »
I like Keepass, which uses AES encryption, but be sure to use a strong passphrase.

Most people have far too weak of passwords AND use them for many sites/services. What would happen if I set up a website and linked to it here, which required account registration, and then captured your password. Would I be able to search for your username or email address to find other sites you're on and then log in with that password?

Read this article on Lifehacker: How I'd Hack your Weak Passwords
http://www.lifehacker.com.au/2010/03/how-i%E2%80%99d-hack-your-weak-passwords/

Summary: use upper and lower case, as well as numbers and symbols. It's not hard, just figure out a convention that works for you, like replacing "S" with "5", "T" with "7", pressing SHIFT when entering numbers familiar to you so the symbols are entered instead, last two letters of the passwords are uppercase, etc.

Some systems require more security than others, so a tiered approach may work for you to balance convenience with security. Frankly, I don't care if someone gets access to my Survival Podcast account, so I don't use as strong of a password than I do for, say, my bank account. Essentially, I approach it similar to this:

Tier 1: Systems (e.g., websites) that don't have any significant personal information
Tier 2: Systems that have personal or sensitive data, such as bookmarks, social networking sites, and
Tier 3: Most sensitive information (e.g., email accounts, bank accounts)
Tier 4: Password archive

In my opinion, it would not be unreasonable to have to copy/paste the password for Tier 3 passwords into the login prompt versus remembering them, e.g., using the random password generation tool in password management apps.

Offline NWBowhunter

  • Survivalist Mentor
  • *****
  • Posts: 832
  • Karma: 24
  • Got Elk!
Re: OPSEC: Layered Digital Security and passwords
« Reply #8 on: January 17, 2011, 06:42:56 PM »
I am a strong believer in long passwords. I to use keypass as storage app. You can add files as well. I use grc.com/password to generate passwords for network stuff. Individual pass phrases for web sites.

Offline Prepper7

  • Survivor
  • ***
  • Posts: 193
  • Karma: 6
Re: OPSEC: Layered Digital Security and passwords
« Reply #9 on: April 02, 2011, 06:41:45 AM »
I've  used RoboForm for five or six years. It will generate passwords for you and can also store application passwords. They have multiple versions: portable (on USB device) or licenses connected to a computer, smartphone, ipad, or "the cloud". Each site password is a separate, encrypted file which can be emailed to someone else (e.g., sending an alarm code or other secure info to a family member) They have a free trial and there is a free version for 10, or fewer, passcards. They have good tech support, too. Just select a very strong master password and change it periodically.

Offline Alpha Mike

  • Survivalist Mentor
  • *****
  • Posts: 805
  • Karma: 30
  • I'm preparing for a lack of imagination.
Re: OPSEC: Layered Digital Security and passwords
« Reply #10 on: April 05, 2011, 11:42:46 AM »
+1 on roboform.  I have used it and it's password generator for several years now.  I keep it on a USB dongle, that is backed up of course.  All my passwords go with me as well as my bookmarked links.  You can even further encrypt the dongle with truecrypt for the extra paranoid.  Hmmm, I guess I must be one of those extra paranoid.

Offline metatron

  • Prepper
  • **
  • Posts: 69
  • Karma: 2
  • English guy
Re: OPSEC: Layered Digital Security and passwords
« Reply #11 on: April 05, 2011, 11:57:11 AM »
I use weak password and don't keep anything remotely important to me on the internet or on a computer. The only computer I'd trust is one with no outside connection and in a safe room. As far as i'm concerned if its on a computer its public information.  

Offline fritz_monroe

  • The Defenestrator
  • Administrator
  • Survival Veteran
  • *******
  • Posts: 8748
  • Karma: 159
    • The Homestead Fritz
Re: OPSEC: Layered Digital Security and passwords
« Reply #12 on: April 05, 2011, 01:22:05 PM »
My work is implementing a much stricter password policy.  Must be 14 characters or longer.  Must not be in the past 64 passwords.  Must include 1 of each lower case, upper case, number, special character.

Now it gets interesting.  There can be no increasing or decreasing characters, so no AB, 45, dc.  Cannot have 3 of the same class of character in a row, so no tsp or 492.

We also have several networks that we have to log onto.  Passwords cannot be the same on different networks.  I don't know if they will compare the password with the past 64 on other networks.

From what I've seen, there is a limit to what people will do before it gets MUCH less secure.  Make it hard enough and all people will do is write them down.

Offline Docwatmo

  • May Ignite Spontaneously
  • Administrator
  • Survival Veteran
  • *******
  • Posts: 8894
  • Karma: 271
  • The Prepper Rising from the Ashes
Re: OPSEC: Layered Digital Security and passwords
« Reply #13 on: April 05, 2011, 02:04:33 PM »
I'm in the opposite boat so to speak, I'm trying to bring it down to the manageable level for users.  I've tried the complexity thing and the just write them down.  I'm looking at 2 or 3 factor authentication.  Using swipe cards and or/ a USB stick timer/rolling number.  The key on the card can be a unique, rolling 1024 bit cypher of unimaginable complexity, and then the user would have a password that was complex enough for me to be comfortable but easy enough for them to use.  Then they would need both the card and their own password.  So even if their password is hacked, or they accidentally give it away or write it down.  Whomever gets it would still have to have the physical card to use it with as well as a computer that has the swipe card and software to utilize the card.  This will work great in the business environment, but unless the software encryption can run off the USB stick or Card and load on any machine, then it won't be useful for individuals outside of the office.



Offline Prepper7

  • Survivor
  • ***
  • Posts: 193
  • Karma: 6
Re: OPSEC: Layered Digital Security and passwords
« Reply #14 on: April 05, 2011, 08:26:58 PM »
<snip>  Hmmm, I guess I must be one of those extra paranoid.

<stands> Hello, I'm [NAME REDACTED] and I'm extra paranoid.  ;)

Offline Mr. Bill

  • Like a hot cocoa mojito
  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 15347
  • Karma: 1878
  • Trained Attack Sheepdog/Troll hunter

Offline XtraBright

  • Prepper
  • **
  • Posts: 36
  • Karma: 11
Re: OPSEC: Layered Digital Security and passwords
« Reply #16 on: August 12, 2011, 01:37:13 PM »
I have a 2GB USB Stick on my Keychain that is AES-256 encrypted with a long but easy to remember password.

Inside are simple text-files, one for forums, one for registrations (username, mail used), one for other various numbers, one for shopping (customer nr, ..) and so on.

If i need a password, no matter where, i plug it in, use my password to mount it and look it up.
After that it get´s unmounted.

I have some copies of that image in various locations including private webspace, all of them in AES-256 format.

Offline FreeLancer

  • Global Moderator
  • Survival Veteran
  • ******
  • Posts: 6712
  • Karma: 820
Re: OPSEC: Layered Digital Security and passwords
« Reply #17 on: August 12, 2011, 09:25:28 PM »
Here's an exceptionally insightful xkcd on password strength:

Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess.

Thankfully, I came across that concept recently, too.  And I am utilizing it for the LastPass solution that I'm migrating to. 

Anybody else using LastPass?  Or have any words of caution about using it?  From what I've researched, it's supposed to be about as bomb-proof, from the technology side, as most of us will ever need.

Offline TNDadx4

  • Survivor
  • ***
  • Posts: 151
  • Karma: 4
  • Country roads, take me home To the place I belong.
Re: OPSEC: Layered Digital Security and passwords
« Reply #18 on: August 12, 2011, 10:26:46 PM »
Anybody else using LastPass?  Or have any words of caution about using it?  From what I've researched, it's supposed to be about as bomb-proof, from the technology side, as most of us will ever need.

I've used LastPass and TrueCrypt. Both are good products. With Last Pass, your information is still vulnerable if you use a weak master password to log into the system. Another concern that I have is that I seem to remember reading that they track sessions for reporting and marketing purposes. I am also not really crazy about personal information even partially in the hands of a third party. If you are worried about that, Keepass, http://www.keepass.info/, is a really good alternative.

For individual items like text files, I use Steganos LockNote, http://www.steganos.com/us/products/for-free/locknote/overview/  which uses AES 256 bit encryption. You can store 1 or 2 really long passwords in there for your other password programs.


Offline FreeLancer

  • Global Moderator
  • Survival Veteran
  • ******
  • Posts: 6712
  • Karma: 820
Re: OPSEC: Layered Digital Security and passwords
« Reply #19 on: August 12, 2011, 11:09:31 PM »
I think LastPass stores an AES-256 multi-salted hash of the master password, not the password itself, with everything else encrypted.  If you forget the password you're screwed, they have no idea what it is.  You can also use multi-factor authentication with a USB key, ubikey, biometric scanner, or one-time passwords.

The Security Now guy thinks it's about as good as it gets:  http://www.grc.com/sn/sn-256.htm

But I have no ability to independently verify his claims.


Offline metatron

  • Prepper
  • **
  • Posts: 69
  • Karma: 2
  • English guy
Re: OPSEC: Layered Digital Security and passwords
« Reply #20 on: August 13, 2011, 09:38:22 AM »
The issue with passwords is not purely how strong they are but if you use a paten, there is no point using secure passwords on websites/forums as their so easy to steal and I don't trust online banking. I would just not bother keeping anything you would care about getting out on the internet.

Offline FreeLancer

  • Global Moderator
  • Survival Veteran
  • ******
  • Posts: 6712
  • Karma: 820
Re: OPSEC: Layered Digital Security and passwords
« Reply #21 on: August 13, 2011, 10:31:20 AM »
The issue with passwords is not purely how strong they are but if you use a paten, there is no point using secure passwords on websites/forums as their so easy to steal and I don't trust online banking. I would just not bother keeping anything you would care about getting out on the internet.

That's why I'm using LastPass, it eliminates the password patterns I was using previously.  It will generate a (pseudo)random password for each site, so if one is compromised there's less risk of the whole house of cards caving in from the same login credentials being used on multiple sites. 

As far as using the internet for banking, I guess everyone needs to educate themselves about the risks, and then do whatever promotes the best sleep.  Like most things in life, you have to weigh the risks against the benefits, and accept that what makes sense for others may not be best for you.

devildoc

  • Guest
Re: OPSEC: Layered Digital Security and passwords
« Reply #22 on: August 16, 2011, 10:34:51 PM »
 :-X      what does OPSEC mean ? I know but i digress.....

IPCOP sitting at the front door, dual nic will take a bit of geek to get going.
other funlocks past the primary door. Wireless locked down to the MAC address of the machine
No use of Google products on PC. They are blocked at the acl.

For all  inventories done on a laptop with gutted and disabled wireless that is kept in a locked safe.

I have a droid phone I disable as much of the google crap as possible , I plan on rooting the phone as soon as I can find out how to I dont scan with it I keep nothing on it but points of contact. I dont share wireless access with others that come over (house rule). BTW if i showed you how easy it is to bluejack your bluetooth you would never trust it again and NEVER USE WIRELESS on your phones.   

Use other places when u need to investigate things on a search level.

Offline inthego

  • Survivalist Mentor
  • *****
  • Posts: 762
  • Karma: 18
  • No man is free who is not master of himself..
    • My Biz web site
Re: OPSEC: Layered Digital Security and passwords
« Reply #23 on: August 16, 2011, 11:16:50 PM »
I use Locknote from SourceForge.  Cool little text based tool I use for storing all my passwords.  It will work on Linux if you install wine.
The only pass word you would need to remember is the one to locknote, and the encryption is as good as it gets.

from Steve Gibson of Gibson research and Security Now pod-cast:
"The pass-phrase which the user supplies is concatenated with its length. And that is hashed through an SHA-256 hash to produce a 256-bit key. So that's exactly what you want. That key is used to drive an AES-256 cipher, so that's the Rijndael cipher with its maximum 256-bit length key"

And it's free..  get it while the getting is good.
http://sourceforge.net/projects/locknote/
 8)

devildoc

  • Guest
Re: OPSEC: Layered Digital Security and passwords
« Reply #24 on: August 17, 2011, 01:18:34 AM »
OPSEC = Operational Security

If you are a preper why would you advertise yourself and location on google maps like so many on here.

EDITED BY MODERATOR: triple-posting not allowed.  See GOOGLE MAPS thread for complete post.
« Last Edit: August 17, 2011, 09:49:56 AM by Mr. Bill »

Offline Artos

  • Dedicated Contributor
  • ******
  • Posts: 1178
  • Karma: 83
  • Ride life bareback
    • CPT Caveman's Cave
Re: OPSEC: Layered Digital Security and passwords
« Reply #25 on: August 17, 2011, 08:53:59 AM »
I have collected everything I have been able to gather from trusted sources into one blog entry here: http://cptcaveman.wordpress.com/2011/08/17/personal-data-security/

Offline Amerigo

  • Survivor
  • ***
  • Posts: 126
  • Karma: 14
Re: OPSEC: Layered Digital Security and passwords
« Reply #26 on: August 18, 2011, 05:10:37 PM »
For those who have actual knowledge about electronic security, could you tell me if this idea would result in a difficult password to break?

Take a song that you know the lyrics to, and do all the first letters of that song (for the first 2 lines, first verse, however long you want the password to be).  This way all you have to remember is the song, and as long as you already know the lyrics by heart, it creates a seemingly random long string of letters.

ttlshiwwyauatwshladitsttlshiwwya

Long list of letters that I can recall at a moments notice.  (Twinkle Twinkle Little Star).  Good idea?  Bad idea?

ETA:  I just read on the "How I'd Hack Your Weak Password" article that adding a capital letter or special character exponentially increases the difficulty.  So maybe you could just throw in a caps on the first letter and a special character at the end?
« Last Edit: August 18, 2011, 06:12:29 PM by Amerigo »

Offline inthego

  • Survivalist Mentor
  • *****
  • Posts: 762
  • Karma: 18
  • No man is free who is not master of himself..
    • My Biz web site
Re: OPSEC: Layered Digital Security and passwords
« Reply #27 on: August 18, 2011, 09:23:57 PM »
The person trying to crack your password is at an disadvantage due to the fact they do not know what method your using. Using brute force with dictionary data base is very limited in cracking any password that is of any length (say 7 to 10 characters in length)
Even if the person has control of your computer.  I some times have to try and crack a client's password for them due to the fact they forgot it.  I am only able to retrieve the password if it was not very long and or complex (using alphanumeric and special characters)

How most people get your pass is by ether circumventing the password altogether using a software glitch or using a "man in the middle" type of hack (they monitor all your Internet traffic) http://en.wikipedia.org/wiki/Man-in-the-middle_attack or a virus with a key-logger that stores all you type on your keyboard and sends that info to them via email. Or may try to reset your password by acting like they are you and forgot the password and try to guess your security questions.  Say you have a Facebook account and you list where you went to High School or your Home town that often times is the very question that is used to "secure your ID" By the way this is how Sarah Palin got her email cracked.

Best advice on passwords is use some thing you WILL REMEMBER, use numbers and letters with a special characters (*&^%$#@!) -if they are allowed anyway and change your passwords from time to time.
 8)

For those who have actual knowledge about electronic security, could you tell me if this idea would result in a difficult password to break?

Take a song that you know the lyrics to, and do all the first letters of that song (for the first 2 lines, first verse, however long you want the password to be).  This way all you have to remember is the song, and as long as you already know the lyrics by heart, it creates a seemingly random long string of letters.

ttlshiwwyauatwshladitsttlshiwwya

Long list of letters that I can recall at a moments notice.  (Twinkle Twinkle Little Star).  Good idea?  Bad idea?

ETA:  I just read on the "How I'd Hack Your Weak Password" article that adding a capital letter or special character exponentially increases the difficulty.  So maybe you could just throw in a caps on the first letter and a special character at the end?

Offline Docwatmo

  • May Ignite Spontaneously
  • Administrator
  • Survival Veteran
  • *******
  • Posts: 8894
  • Karma: 271
  • The Prepper Rising from the Ashes
Re: OPSEC: Layered Digital Security and passwords
« Reply #28 on: August 19, 2011, 07:20:14 AM »
When dealing with passwords on Windows based systems, there is a flaw in the hashing algorithm.  All passwords are broken down into 7 character hashes.  Tools that break the hash to retrieve the password work on each 7 character group by itself, not the whole thing.   Believe it or not, but a 7 character password is stronger than an 8 character password because of this.  The cracking tool will work on the hash to determine the 1 extra character in the second hash, once it cracks that character, then it applies the same crack to the remaining password.

So any password you use should be in combinations of 7 characters.   So either 7, 14, 21 etc.   That will provide the best prevention against the hash programs (Which run inside your network or computer once the perimeter has been breached.

Used to be hackers had to attack the perimeter, get past the firewall etc.  Firewalls are too strong to hack anymore.  (Realistically, there are some tools available that can catch improperly setup firewalls but its not worth the effort).  Social engineering and employees are the week links past the firewall.

Continuing on passwords.   The 3 main ways people get your password are either:
     1.  Social engineering (Which includes getting a trojan or keylogger on your machine which negates even the strongest passwords).
     2.  Dictionary attacks (Which run against outward facing passwords, like on web pages or remote terminal sessions etc)
     3.  Hashing programs (Which run inside your network against the saved password hashes on windows machines).

So, starting with social engineering,  it really comes down to being smart about how you use your computer.   (Unfortunately, if you work someplace with a bunch of people that are easily fooled by a phone call claiming to be the local tech support (believe me this works ;) ) and fall for it, your going to get someone inside your network (Maybe not inside your computer, but inside your network so they can run dictionary and hash tools).   

Dictionary attacks use lists of common words and phrases and slang etc to crack passwords.  People are lazy and creatures of habbit.  A little research can go a long way toward cracking passwords.  Say for example I am looking at a system and all the servers are named after Star Treck spaceships.  I would imediatly know that the it guy is a star trek fan.   Thus I would download some of the thousands of pre-built dictionary lists with every star treck phrase, word, ship, tool etc ever done in them.  Typically, this will be the most likley dictionary to use and generally I could crack a week password in minutes or a moderate password in hours or days using this technique.  (Don't worry, I don't hack.  I do security work legitimatly so this is part of my job).

On hashes, which are the most efficient tool once inside someones network.   I have 2 tools in my bag of tricks for cracking hashes.   One will crack moderately complicated 7 character hash in 4 to 6 hours.   And that runs on my own machine after I spend 10 seconds pulling the hashes off the target machine.    This tool is so fast that if you use a simple text password with no capitals such as jadotjt   (Just Another Day On The Job Today)  it will crack it in less than a second.  The more complicated it gets the longer it takes.  My high end laptop can crack a moderatly done 7 character hash in 2 hours (thats a password that includes upper case, lower case and numbers).   I did let it run for 3 days continuously on a 7 digit that had numbers, letters, uppercase, lowercase and symbols and it didn't break it, but that was a very limited test against a password I designed to be as secure as a 7 digit could be.

Now using those same tools, make your password 14 digits and it may take several months to years to break the hash.   Exponentially more difficult.  (Thus the reason to change password periodically to prevent these types of attacks)

What Amerigo is talking about above is called a passphrase or modified passphrase and if you use a passphrase that is made up entirely on your own your good.  But many of the standard dictionary attacks have common passphrases such as childhood rymes etc already hashed out.   (including most song lyrics and any other text available to add to dictionary.  (As in the star trek example above, if someone knows your a dead head, their are grateful dead dictionary out there already).

So a best password is one that is easy to remember, contains upper case, lower case, numbers, symbols and spaces, does not contain any recognizable words or common number combinations (666, 911 etc) and is 14 characters long.  That should keep you safe from most attack methods.   

 

Offline Mr. Bill

  • Like a hot cocoa mojito
  • Administrator
  • Ultimate Survival Veteran
  • *******
  • Posts: 15347
  • Karma: 1878
  • Trained Attack Sheepdog/Troll hunter
Re: OPSEC: Layered Digital Security and passwords
« Reply #29 on: August 19, 2011, 09:28:50 AM »
When dealing with passwords on Windows based systems, there is a flaw in the hashing algorithm. ...

Gosh, what a surprise.

Thanks for that info, Doc!

...So a best password is one that is easy to remember, contains upper case, lower case, numbers, symbols and spaces, does not contain any recognizable words or common number combinations (666, 911 etc) and is 14 characters long. ...

Okay, I don't want to pick on you, but :rofl:

Seriously, do you have any suggestions for how to make 14 apparently-random characters easy to remember?  Because otherwise the user is just going to write them on a Post-It note, which is a separate security problem.