Added Assignment for Security Questions.

webgoat-lessons/password-reset/src/main/resources/html/PasswordReset.html

@@ -139,6 +139,37 @@
     </div>
 </div>
 
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:PasswordReset_SecurityQuestions.adoc"></div>
+    <div class="attack-container">
+        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
+        <form class="attack-form" accept-charset="UNKNOWN"
+              method="POST" name="form"
+              action="/WebGoat/PasswordReset/SecurityQuestions"
+              enctype="application/json;charset=UTF-8">
+            <select name="question">
+                <option>What is your favorite animal?</option>
+                <option>In what year was your mother born?</option>
+                <option>What was the time you were born?</option>
+                <option>What is the name of the person you first kissed?</option>
+                <option>What was the house number and street name you lived in as a child?</option>
+                <option>In what town or city was your first full time job?</option>
+                <option>In what city were you born?</option>
+                <option>On which wrist do you were your watch?</option>
+                <option>What was the last name of your favorite teacher in grade three?</option>
+                <option>What is the name of a college/job you applied to but didn't attend?</option>
+                <option>What are the last 5 digits of your drivers license?</option>
+                <option>What was your childhood nickname?</option>
+                <option>Who was your childhood hero?</option>
+                <option>What is your favorite color?</option>
+            </select>
+            <input name="Check Question" value="check" type="SUBMIT"/>
+        </form>
+        <br/>
+        <div class="attack-output"></div>
+    </div>
+</div>
+
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:PasswordReset_host_header.adoc"></div>
     <div class="attack-container">
@@ -235,36 +266,4 @@
 <div class="lesson-page-wrapper">
     <div class="adoc-content" th:replace="doc:PasswordReset_mitigation.adoc"></div>
 </div>
-
-<div class="lesson-page-wrapper">
-    <div class="adoc-content" th:replace="doc:PasswordReset_SecurityQuestions.adoc"></div>
-    <div class="attack-container">
-        <div class="assignment-success"><i class="fa fa-2 fa-check hidden" aria-hidden="true"></i></div>
-        <form class="attack-form" accept-charset="UNKNOWN"
-              method="POST" name="form"
-              action="/WebGoat/PasswordReset/SecurityQuestions"
-              enctype="application/json;charset=UTF-8">
-            <select name="question">
-                <option>What is your favorite animal?</option>
-                <option>In what year was your mother born?</option>
-                <option>What was the time you were born?</option>
-                <option>What is the name of the person you first kissed?</option>
-                <option>What was the house number and street name you lived in as a child?</option>
-                <option>In what town or city was your first full time job?</option>
-                <option>In what city were you born?</option>
-                <option>On which wrist do you were your watch?</option>
-                <option>What was the last name of your favorite teacher in grade three?</option>
-                <option>What is the name of a college/job you applied to but didn't attend?</option>
-                <option>What are the last 5 digits of your drivers license?</option>
-                <option>What was your childhood nickname?</option>
-                <option>Who was your childhood hero?</option>
-                <option>What is your favorite color?</option>
-            </select>
-            <input name="Check Question" value="check" type="SUBMIT"/>
-        </form>
-        <br/>
-        <div class="attack-feedback"></div>
-        <div class="attack-output"></div>
-    </div>
-</div>
 </html>

webgoat-lessons/password-reset/src/main/resources/lessonPlans/en/PasswordReset_SecurityQuestions.adoc

@@ -1,17 +1,16 @@
-== Choosing a Security Question
+== The Problem with Security Questions
 
-We have already talked about Security questions a bit. A good security question should meet the following criteria:
+While Security Questions my at first seem like a good way for authentication of a user, they
+have some big problems.
 
-- Safe: The answer should not be easy to research or guess.
-- Stable: The answer should be stable, meaning that it is not subject to change.
-- Memorable: The answer should be easy to remember.
-- Simple: The question should be: precise, easy and consistent.
-- Many: The question should have many possible answers.
+The "perfect" Security Question should be hard to crack, but easy to remember. Also the answer needs to fixed,
+so the answer must not be subject to change.
 
-== Try It! Choosing a  good security question.
+There are only a handful of questions which satisfy these criteria and practically none which apply to anybody.
 
-In this assignment your goal is to good security question from the dropdown list below.
-The Assignment is complete when you picked a security question which is considered good.
+If you have to pick a security question, we recommend not answering them truthfully.
 
-Note: Some may say that one question is better than another, so this list is a bit subjective.
-      But you should not be having any problem differencing between the good and bad.
+To further elaborate on the matter, there is a small assignment for you: There is a list of some common security questions.
+if you choose one, it will show to you why the question you picked is not really as good as one may think.
+
+When you have looked at two questions the assignment will be marked as complete.