Is passive Investigation essentially truesight against illusions?

I have been thinking about this for a few days (since taking the Observant feat specifically) and have now seen my logic backed up in this question.

Lets assume a character has 20 passive Investigation. A level 13 caster with 20 INT, has a DC of (8+5+5) = 18.

Does the character see through the illusion automatically?

I am prepared to consider that there is a range requirement on this, which would be answered by the linked question, so this question assumes the character is already within whatever range is required.

Should a password generator validate it’s output against a dictionary?

If I were to design a password generator is it best to leave it truly random or validate it’s output to avoid certain passwords?

For example if my password generator was truly random, it’s possible it’s output could be “password”.

Where do you draw the line, should it just scan for common passwords, or ensure nothing in the entire string matches a know word? E.g. “fg3~nfpasswordh&tr”.

Does doing this reduce the security of my password generator because the possibility space is reduced?

What do you roll Insight against when a PC is telling the truth? [duplicate]

This question already has an answer here:

  • What do you roll Insight against when the other person is telling the truth? 4 answers

There is already a similar question, however the answers focus on that you should not tell players that they don’t believe the other but they should decided that themselves and only get hints. And while that may be true, it doesn’t actually answer the question posted in the title. I started to talk about it in the comments of the first answer but the discussion is too extended for comments. So here a new question.

In my specific case I have a new character x joining the party and he wants to help the party and tells them the town master is actually bad. The party has no reason to believe him. They ask for an insight check. Now what does x roll?

X is a charismatic character and I want him to be able to take advantage of that maybe via persuasion. But I don’t just want to contest the party insight with his persuasion, because I feel like a high role on either side should be rewarded by on one hand x showing signs of being truthful and the party reading those signs. I was thinking about adding both checks and taking an average against DC 10 but it seems a bit random.

Do you make saves against the spell web as you move through it?

Inspired by this question I am wondering how exactly the web spell works. It states (emphasis mine):

“Each creature that starts its turn in the webs or that enters them during its turn must make a Dexterity saving throw.”

I believe that this means that if you are not in the webs and enter them, you must make a save. If you succeeded, exited the webs, and re-entered them, you would have to make another save, as you are “entering the webs during your turn”.

Unlike many other spells such as moonbeam, web does not state that the save occurs only the first time you enter them.

Do you have to make a save for each square of webbing that you enter?

Is there a way to protect against fake messages by an SPA that consumes a webservice directly?

I develop a webservice currently and communication might be a bottleneck. It would be at least 100ms faster if I could access the webservice from the browser directly instead of sending the messages to the consumer’s server first and relaying them to the webservice along with the consumer identifier.

If I store that consumer identifier in the SPA, then everybody could fake a request in the name of the consumer, they just need to check what the SPA sends to the webservice as an user of it. Is there a way to protect the webservice against these kind of fake messages?

How can I secure Wifi against these specific attacks?

I have found myself in a situation where I need to setup a somewhat secure Wifi network. I am primarily concerned about these attacks, however I welcome any advice about other attacks that I should be concerned with as well:

  • An unauthorized party gaining access to the network without any prior knowledge (eg. by a neighbor brute-forcing the PSK)
  • A user that is authorized to use the network as a user (eg. no access to the router’s admin panel or the RADIUS server) decrypting another user’s data to violate their privacy
  • A 3rd party attacker (or an authorized user) that sets up an evil twin attack and is able to get the PSK (or RADIUS credentials) and/or the data itself, thus violating all users’ privacy and/or accessing the network without authorization

My research tells me that the normal standard that I have used for years, WPA2 PSK with AES, is vulnerable to all but the first attack. Upon further reading, I have discovered WPA2 enterprise and that it is supposed to be more secure against these types of attacks. It appears to have many different modes, however (eg. What is the difference between EAP, PEAP, and MSCHAP?), and I am finding conflicting and incomplete information about whether or not it is vulnerable to the middle (conflicting information) and last attack (no information).

As such, I ask, what is the best way to setup Wifi to be secure against all three of these attacks? I suspect that some sort of SSH-style key will need to be given to each client, along with an AP/server key that the client can use to defend itself against evil twin attacks, but I can’t find anything that precisely describes how to set this up. I am looking for instructions as precise as something like this, for high quality TLS.

How can I prevent fights against a lot of minions from being boring?

There was an encounter in my most recent D&D 4e adventure in which the players fought several (16) minion skeletons. Because all of the skeletons were minions, the encounter was not difficult, but it was also not very interesting. Resolving the actions of all 16 skeletons felt like more of a slog than a tense, exciting fight, because for every single skeleton I had to decide who to attack, then roll for attack, then roll damage, which got tedious quickly.

What techniques can I use to make fights against minions more interesting rather than just, “You all attack, then they all attack, then you, then them…”?

How can a party defend against the Nightmare Haunting action of a Night Hag?

This question was asked previously with respect to D&D 3.5:

What are the ways that a CR-appropriate party can stop a Night Hag's dream haunting?

There are some interesting answers there, but none of them were selected as the answer, and the monster has changed between editions. In particular, that question notes that Night Hag’s CR was 9 in the previous edition, whereas currently they are CR 5. Presumably, a full-strength 5th level party of four adventurers should be able to defeat a Night Hag.

The Night Hag has the following action:

Nightmare Haunting (1/Day): While on the Ethereal Plane, the hag magically touches a sleeping humanoid on the Material Plane. A Protection from Evil and Good spell cast on the target prevents this contact, as does a Magic Circle. As long as the contact persists, the target has dreadful visions. If these visions last for at least 1 hour, the target gains no benefit from its rest, and its hit point maximum is reduced by 5 (1d10). If this effect reduces the target’s hit point maximum to 0, the target dies, and if the target was evil, its soul is trapped in the hag’s soul bag. The reduction to the target’s hit point maximum lasts until removed by the Greater Restoration spell or similar magic.

Let’s assume that a 5th level party has already had a member suffer one night of Nightmare Haunting, and through player knowledge, role-played interactions, or Arcana checks, they’ve figured out they’re facing a Night Hag and are expecting night two. Let’s also assume they have all the knowledge of the Night Hag MM entry, knowledge of all the spells in the PH (and a mix of caster’s who can prepare any spell up to 3rd level), and no magic items.

Contact can be “prevented” by:

  • Protection from Evil and Good, which is 1st level, but only lasts 10 minutes.
  • Magic Circle, which is 3rd level, and lasts an hour.

But since the Night Hag can come any time during the night, it’s not clear that these spells are helpful. Magic Circle lasts longer if cast at higher level, but it doesn’t help our 5th level party, and depending on your DM’s sleep rules (not well-covered in RAW), may not be helpful until you get to an 8th or 9th level slot.

So in order to “prevent” contact, you wait for the Night Hag to arrive, then you cast the spell. But how does the party even know the Night Hag is there? See Invisibility can be used to see ethereal creatures, but it only lasts an hour, and the Night Hag can come any time during the night.

Then, if the party realizes the Night Hag is there but the Nightmare Haunting hasn’t started, a spellcaster casts Protection from Evil and Good or Magic Circle. So the Night Hag goes away, and comes back after the spell expires. Repeat until no more spell slots, or at least deprive most of the party of their long rest.

So the party realizes it’s fruitless to drive the Night Hag off before the Nightmare Haunting has begun. The spellcaster waits for the Night Hag to begin Nightmare Haunting a sleeping party member, then casts Protection from Evil and Good or Magic Circle. The Night Hag’s 1/day power is spent. But do these spells even work? It’s not clear to me that “prevented” means “stops” in this context. (And what does Magic Circle even do if you cast it on an area that already contains an excluded creature?)

In fact, the Night Hag still seems pretty challenging for higher level parties when used this way. Greater Restoration at least removes reduction of HP maximum, but killing the long rest can allow the Night Hag to systematically weaken a party. Etherealness lasts 8 hours and will eventually allow the party to post a sentinel in the Ethereal Plane (and hope the Night Hag doesn’t kill the sentinel).

Please help before I TPK my players.

How can a party defend against the Nightmare Haunting action of a Night Hag?

This question was asked previously with respect to D&D 3.5:

What are the ways that a CR-appropriate party can stop a Night Hag's dream haunting?

There are some interesting answers there, but none of them were selected as the answer, and the monster has changed between editions. In particular, that question notes that Night Hag’s CR was 9 in the previous edition, whereas currently they are CR 5. Presumably, a full-strength 5th level party of four adventurers should be able to defeat a Night Hag.

The Night Hag has the following action:

Nightmare Haunting (1/Day): While on the Ethereal Plane, the hag magically touches a sleeping humanoid on the Material Plane. A Protection from Evil and Good spell cast on the target prevents this contact, as does a Magic Circle. As long as the contact persists, the target has dreadful visions. If these visions last for at least 1 hour, the target gains no benefit from its rest, and its hit point maximum is reduced by 5 (1d10). If this effect reduces the target’s hit point maximum to 0, the target dies, and if the target was evil, its soul is trapped in the hag’s soul bag. The reduction to the target’s hit point maximum lasts until removed by the Greater Restoration spell or similar magic.

Let’s assume that a 5th level party has already had a member suffer one night of Nightmare Haunting, and through player knowledge, role-played interactions, or Arcana checks, they’ve figured out they’re facing a Night Hag and are expecting night two. Let’s also assume they have all the knowledge of the Night Hag MM entry, knowledge of all the spells in the PH (and a mix of caster’s who can prepare any spell up to 3rd level), and no magic items.

Contact can be “prevented” by:

  • Protection from Evil and Good, which is 1st level, but only lasts 10 minutes.
  • Magic Circle, which is 3rd level, and lasts an hour.

But since the Night Hag can come any time during the night, it’s not clear that these spells are helpful. Magic Circle lasts longer if cast at higher level, but it doesn’t help our 5th level party, and depending on your DM’s sleep rules (not well-covered in RAW), may not be helpful until you get to an 8th or 9th level slot.

So in order to “prevent” contact, you wait for the Night Hag to arrive, then you cast the spell. But how does the party even know the Night Hag is there? See Invisibility can be used to see ethereal creatures, but it only lasts an hour, and the Night Hag can come any time during the night.

Then, if the party realizes the Night Hag is there but the Nightmare Haunting hasn’t started, a spellcaster casts Protection from Evil and Good or Magic Circle. So the Night Hag goes away, and comes back after the spell expires. Repeat until no more spell slots, or at least deprive most of the party of their long rest.

So the party realizes it’s fruitless to drive the Night Hag off before the Nightmare Haunting has begun. The spellcaster waits for the Night Hag to begin Nightmare Haunting a sleeping party member, then casts Protection from Evil and Good or Magic Circle. The Night Hag’s 1/day power is spent. But do these spells even work? It’s not clear to me that “prevented” means “stops” in this context. (And what does Magic Circle even do if you cast it on an area that already contains an excluded creature?)

In fact, the Night Hag still seems pretty challenging for higher level parties when used this way. Greater Restoration at least removes reduction of HP maximum, but killing the long rest can allow the Night Hag to systematically weaken a party. Etherealness lasts 8 hours and will eventually allow the party to post a sentinel in the Ethereal Plane (and hope the Night Hag doesn’t kill the sentinel).

Please help before I TPK my players.