diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..e30b6f0
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,6 @@
+# Sentinel Journal
+
+## 2025-05-15 - Hardcoded CBC Cipher and Weak Password Generation
+**Vulnerability:** The container entrypoint script explicitly configured a CBC-mode cipher (`DHE-RSA-AES256-SHA`) and generated default passwords using only digits (`0-9`).
+**Learning:** Hardcoding specific cipher suites in scripts can lead to outdated security practices persisting even when the underlying software supports better options. Also, password generation scripts should maximize entropy within usability constraints.
+**Prevention:** Use stronger defaults (GCM) and ensure random generation uses a larger character set (`A-Za-z0-9`).
diff --git a/copyables/entrypoint.sh b/copyables/entrypoint.sh
index 0d224a0..1f84754 100644
--- a/copyables/entrypoint.sh
+++ b/copyables/entrypoint.sh
@@ -42,7 +42,8 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
     if [[ $PASSWORD ]]; then
       echo '# <use the password specified at -e PASSWORD>'
     else
-      PASSWORD=$(cat /dev/urandom | tr -dc '0-9' | fold -w 20 | head -n 1 | sed 's/.\{4\}/&./g;s/.$//;')
+      # Generate a strong alphanumeric password
+      PASSWORD=$(cat /dev/urandom | tr -dc 'A-Za-z0-9' | fold -w 20 | head -n 1 | sed 's/.\{4\}/&./g;s/.$//;')
       echo \# ${PASSWORD}
     fi
   fi
@@ -65,7 +66,8 @@ if [ ! -f $CONFIG ] || [ ! -s $CONFIG ]; then
   # switch cipher
   while :; do
     set +e
-    vpncmd_server ServerCipherSet DHE-RSA-AES256-SHA 2>&1 >/dev/null
+    # Use AES-GCM cipher suite for better security (GCM vs CBC)
+    vpncmd_server ServerCipherSet DHE-RSA-AES256-GCM-SHA384 2>&1 >/dev/null
     [[ $? -eq 0 ]] && break
     set -e
     sleep 1