diff --git a/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/plugin/SecurePasswordsAssignment.java b/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/plugin/SecurePasswordsAssignment.java
index fbbe4d29f..fcd255182 100644
--- a/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/plugin/SecurePasswordsAssignment.java
+++ b/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/plugin/SecurePasswordsAssignment.java
@@ -1,11 +1,11 @@
package org.owasp.webgoat.plugin;
+import com.nulabinc.zxcvbn.Feedback;
import com.nulabinc.zxcvbn.Strength;
import com.nulabinc.zxcvbn.Zxcvbn;
import org.jruby.RubyProcess;
import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
import org.owasp.webgoat.assignments.AssignmentPath;
import org.owasp.webgoat.assignments.AttackResult;
import org.springframework.web.bind.annotation.RequestMapping;
@@ -22,12 +22,12 @@ import java.text.DecimalFormatSymbols;
import java.util.Arrays;
import java.util.List;
import java.util.Locale;
+import java.util.ResourceBundle;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@AssignmentPath("SecurePasswords/assignment")
-//@AssignmentHints(value = {"xss-mitigation-3-hint1", "xss-mitigation-3-hint2", "xss-mitigation-3-hint3", "xss-mitigation-3-hint4"})
public class SecurePasswordsAssignment extends AssignmentEndpoint {
@RequestMapping(method = RequestMethod.POST)
@@ -42,15 +42,24 @@ public class SecurePasswordsAssignment extends AssignmentEndpoint {
output.append("Your Password: " + password + "");
output.append("Length: " + password.length()+ "");
output.append("Estimated guesses needed to crack your password: " + df.format(strength.getGuesses())+ "");
- output.append("Score: " + strength.getScore()+ "/5");
+ output.append("Score: " + strength.getScore()+ "/4
");
if(strength.getScore()<=1){
- output.append("
");
+ output.append("
");
} else if(strength.getScore()<=3){
- output.append("
");
+ output.append("
");
} else{
- output.append("
");
+ output.append("
");
+ }
+ output.append("Estimated cracking time: " + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
+ if(strength.getFeedback().getWarning().length() != 0)
+ output.append("Warning: " + strength.getFeedback().getWarning());
+ // possible feedback: https://github.com/dropbox/zxcvbn/blob/master/src/feedback.coffee
+ // maybe ask user to try also weak passwords to see and understand feedback?
+ if(strength.getFeedback().getSuggestions().size() != 0){
+ output.append("Suggestions:");
+ for(String sug: strength.getFeedback().getSuggestions()) output.append("- "+sug+"
");
+ output.append("
");
}
- output.append("Estimated cracking time in seconds: " + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
if(strength.getScore() >= 4)
return trackProgress(success().feedback("securepassword-success").output(output.toString()).build());
@@ -59,14 +68,18 @@ public class SecurePasswordsAssignment extends AssignmentEndpoint {
}
public static String calculateTime(long seconds) {
- int day = (int) TimeUnit.SECONDS.toDays(seconds);
- int year = day/365;
- day = day % 365;
- long hours = TimeUnit.SECONDS.toHours(seconds) - (day *24);
- long minute = TimeUnit.SECONDS.toMinutes(seconds) - (TimeUnit.SECONDS.toHours(seconds)* 60);
- long second = TimeUnit.SECONDS.toSeconds(seconds) - (TimeUnit.SECONDS.toMinutes(seconds) *60);
+ int s = 1;
+ int min = (60*s);
+ int hr = (60*min);
+ int d = (24*hr);
+ int yr = (365*d);
- return (year + " years " + day + " days " + hours + " hours " + minute + " minutes " + second + " seconds");
+ long years = seconds/(d)/365;
+ long days = (seconds%yr)/(d);
+ long hours = (seconds%d)/(hr);
+ long minutes = (seconds%hr)/(min);
+ long sec = (seconds%min*s);
+ return (years + " years " + days + " days " + hours + " hours " + minutes + " minutes " + sec + " seconds");
}
}
\ No newline at end of file