Best practices for storing long-term access credentials locally in a desktop application?

I’m wondering how applications like Skype and Dropbox store access credentials securely on a user’s computer. I imagine the flow for doing this would look something like this:

  1. Prompt the user for a username/password if its the first time
  2. Acquire an access token using the user provided credentials
  3. Encrypt the token using a key which is just really a complex combination of some static parameters that the desktop application can generate deterministically. For example something like:
value = encrypt(data=token, key=[os_version]+[machine_uuid]+[username]+...) 
  1. Store value in the keychain on OSX or Credential Manager on Windows.
  2. Decrypt the token when the application needs it by generating the key

So two questions:

  1. Is what I described remotely close to what a typical desktop application that needs to store user access tokens long term does?
  2. How can a scheme like this be secure? Presumably, any combination of parameters we use to generate the the key can also be generated by a piece of malware on the user’s computer. Do most applications just try to make this key as hard to generate as possible and keep their fingers crossed that no one guesses how it is generated?

How do I make a longterm “chase” sequence interesting?

I have a lovely quartet of players trapped in the wilderness, at least 10 days march from the nearest settlement, which is their destination.

There is an antagonistic force in the area, and I had originally planned for it to “hunt” them — bring less than its full force to bear, to drag out and otherwise endanger them throughout their journey. But I’m looking for something to break up the monotony of 10 days of travel plus once-a-day (or so) combat. The PCs are attempting to escort civilians, so “sidequests” that involve diverting from their destination aren’t likely to lure them off.

The arc of this part of the story is that the antagonistic force has switched from passive aggression “you were tasked with slaying a werewolf by a third party, who fights to defend himself”, to active aggression “you are being pursued by werewolves”, with the intent to drive home that their foe is canny, intelligent, and not to be underestimated.

Outside of that, what can I do to spice up the journey, to keep things interesting when they’re not being set upon by monsters?

Attacker models of long-term logins: how should sensitive server endpoints require re-authentication?

Let’s see the following scenario:

  • “GutHib” is a fictional hosting service in the form of an online webapp for the fictional DVCS software “Gut”.
  • Alice logged in to GutHib with her password and 2FA, providing a strong proof that she really is the one who the registered account belongs to. (Let’s assume she did well keeping her password and 2FA information safe, and no one else can access her account.)
  • Alice set remember me to true at login, so she does not need to log in every time she wants to browse on GutHib.
  • After 3 months of the first & only login to GutHib, Alice accidentally left her laptop open in a cafĂ© while paying with her phone at the cash register. An attacker came to the laptop, opened GutHib, and since Alice set the remember me to true, the attacker could access the site’s functionality while impersonating Alice, and clicked on “Transfer repository ownership” button at an important repository’s admin page. This only required to be logged in, so one of Alice’s important repos were stolen.

With applying re-authentication for this sensitive & destructive writer operation, GutHib could have prevented stealing Alice’s code: the password is only known by her, also the phone with the 2FA app was also at her.

E.g. the api/transfer-repository endpoint could require an elevated session type based on password/2FA re-entry (e.g. PasswordSession or PasswordSession + TwoFactorSession, valid for 10min), or even a OneTimeSession acquired with the TwoFactorSession, which is specifically requested and signed for one particular endpoint call (valid only for the next endpoint call it is requested for).

How come that today’s industry standards or best practices do not support these re-authentication flows?


  1. Is there a standardized way to ensure that the user making a request to a server endpoint (which performs a sensitive, destructive writer action) really sits in front of the computer and is the same user who logged in 3 months ago with remember me, and not a malicious attacker?
  2. This a real attack model. How come this is not supported by today’s authentication & authorization industry standards like OpenID Connect & OAuth 2.0? Am I missing something?

Long-term photographic travel insurance

The problem is simply put: how can I insure my photograpic equipment (3 dslrs, 7 high-end lenses) for months on end away from “home”? I am a UK resident but live on-and-off in Oslo, for more than half the year. I have no fixed abode in Norway but if I travel home to the UK or elsewhere in Europe, i will leave some or all of my gear in my (temporarily) rented home in Oslo. Most insurance policies, even those specialised for professional photographers, have the concept of a “trip” of a fixed length (90 days is a common maximum) during which the gear is covered, but some of my gear never goes home at all, merely being moved from one flat to another while I come and go. How on earth do I get cover?

Need Full-time Freelance Writers for a Long-term Project

Job requirements:
1) Able to produce subjective & researched content (producing high-quality content)
2) Should be able to curate best examples of designs & documents
3) Should have excellent grammar & understanding of users 4) Should have the basic knowledge of WordPress CMS
4) Ability to follow directions
To apply, Please send in your work samples to or

Need Full-time Freelance Writers for a Long-term Project

Job requirements:
1) Able to produce subjective & researched content (producing high-quality content)
2) Should be able to curate best examples of designs & documents
3) Should have excellent grammar & understanding of users 4) Should have the basic knowledge of WordPress CMS
4) Ability to follow directions
To apply, Please send in your work samples to or

Is a party consisting of only a bard, a cleric, and a warlock functional long-term?

After considering it for a long time, I have finally decided to try DMing. The campaign I’m planning is entirely homebrew, and, as an aspiring author, I’m going to focus a bit more on lore, plot, and character building than on combat, but there will still be fighting (I’ve planned at least a few boss battles.)

Three of my friends will be players, but only one has played before. The players opted for a half-elf cleric, a gnome warlock, and a tabaxi bard, and now I’m worried about this party’s composition.

Clerics and bards are often healers and usually lack meaningful offensive spells, so I sense they may end up relying on the warlock for offense. Should I be concerned that this party will be unable to defeat foes that a more traditional party could? Should I encourage the bard’s player, who upon making her character stated that she’d be okay with playing a different class despite her initial preference, to pick a different class so that the party can engage in combat better?

Travel before start of an Italian long-term (Type D) visa and the 90/180 rule following its expiration

Ok, I wrote a very lengthy question about being able to stay as a tourist in Italy (I am American) following the expiration of my Italian long-term (type D) student visa. After some searching, I found Article 6 Entry conditions for third country nationals Point 2 of the Schengen Borders Code and deleted the original question. The relevant text from the code is as follows:

…the date of entry shall be considered as the first day of stay on the territory of the Member States and the date of exit shall be considered as the last day of stay on the territory of the Member States. Periods of stay authorised under a residence permit or a long-stay visa shall not be taken into account in the calculation of the duration of stay on the territory of the Member States.

Great. If I’ve just finished a long-stay visa, those days don’t count in calculating the 90 days I have in the 90/180 rule for tourism.

However, the question I have is now this:

Even though I have been on a long-term Type D visa in Italy for longer than 180 days, does any time I spent in Italy as a tourist before the visa started count?

I know this might seem like a ridiculous question, but I spent slightly less than 90 days in Italy as a tourist before my long-term visa started and if these days did count, it would significantly reduce the amount of time I could stay in Italy as a tourist after my visa expires.

I’m asking because “shall not be taken into account” can be interpreted in slightly different ways: 1) as if they don’t count at all in the 90 days of the 90/180 day rule and I’m good to go or 2) as if the entire period of your visa didn’t exist at all and you need to factor in any time you spent in the Schengen Zone the day before your visa started. Does anyone have any idea about this?

This is just a side note, but I did make sure to exit the Schengen Zone and re-enter on the start-date of my visa, so I have a stamp with the visa’s start-date.

Thanks for any information!