From 2a26cc3cc774247cd11cfb238e817b1a98aaa758 Mon Sep 17 00:00:00 2001
From: PhilippeSteinbach <steinbach.phil@gmail.com>
Date: Thu, 6 Dec 2018 21:30:44 +0100
Subject: [PATCH] polished feedback, implemented password warnings and
 suggestions

---
 .../plugin/SecurePasswordsAssignment.java     | 41 ++++++++++++-------
 1 file changed, 27 insertions(+), 14 deletions(-)

diff --git a/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/plugin/SecurePasswordsAssignment.java b/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/plugin/SecurePasswordsAssignment.java
index fbbe4d29f..fcd255182 100644
--- a/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/plugin/SecurePasswordsAssignment.java
+++ b/webgoat-lessons/secure-passwords/src/main/java/org/owasp/webgoat/plugin/SecurePasswordsAssignment.java
@@ -1,11 +1,11 @@
 package org.owasp.webgoat.plugin;
 
 
+import com.nulabinc.zxcvbn.Feedback;
 import com.nulabinc.zxcvbn.Strength;
 import com.nulabinc.zxcvbn.Zxcvbn;
 import org.jruby.RubyProcess;
 import org.owasp.webgoat.assignments.AssignmentEndpoint;
-import org.owasp.webgoat.assignments.AssignmentHints;
 import org.owasp.webgoat.assignments.AssignmentPath;
 import org.owasp.webgoat.assignments.AttackResult;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -22,12 +22,12 @@ import java.text.DecimalFormatSymbols;
 import java.util.Arrays;
 import java.util.List;
 import java.util.Locale;
+import java.util.ResourceBundle;
 import java.util.concurrent.TimeUnit;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 @AssignmentPath("SecurePasswords/assignment")
-//@AssignmentHints(value = {"xss-mitigation-3-hint1", "xss-mitigation-3-hint2", "xss-mitigation-3-hint3", "xss-mitigation-3-hint4"})
 public class SecurePasswordsAssignment extends AssignmentEndpoint {
 
     @RequestMapping(method = RequestMethod.POST)
@@ -42,15 +42,24 @@ public class SecurePasswordsAssignment extends AssignmentEndpoint {
         output.append("<b>Your Password: </b>" + password + "</br>");
         output.append("<b>Length: </b>" + password.length()+ "</br>");
         output.append("<b>Estimated guesses needed to crack your password: </b>" + df.format(strength.getGuesses())+ "</br>");
-        output.append("<b>Score: </b>" + strength.getScore()+ "/5");
+        output.append("<div style=\"float: left;padding-right: 10px;\"><b>Score: </b>" + strength.getScore()+ "/4 </div>");
         if(strength.getScore()<=1){
-            output.append("<div style=\"background-color:red;width: 200px;\">&nbsp;</div></br>");
+            output.append("<div style=\"background-color:red;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>");
         } else if(strength.getScore()<=3){
-            output.append("<div style=\"background-color:orange;width: 200px;\">&nbsp;</div></br>");
+            output.append("<div style=\"background-color:orange;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>");
         } else{
-            output.append("<div style=\"background-color:green;width: 200px;\">&nbsp;</div></br>");
+            output.append("<div style=\"background-color:green;width: 200px;border-radius: 12px;float: left;\">&nbsp;</div></br>");
+        }
+        output.append("<b>Estimated cracking time: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
+        if(strength.getFeedback().getWarning().length() != 0)
+            output.append("</br><b>Warning: </b>" + strength.getFeedback().getWarning());
+        // possible feedback: https://github.com/dropbox/zxcvbn/blob/master/src/feedback.coffee
+        // maybe ask user to try also weak passwords to see and understand feedback?
+        if(strength.getFeedback().getSuggestions().size() != 0){
+            output.append("</br><b>Suggestions:</b></br><ul>");
+            for(String sug: strength.getFeedback().getSuggestions()) output.append("<li>"+sug+"</li>");
+            output.append("</ul></br>");
         }
-        output.append("<b>Estimated cracking time in seconds: </b>" + calculateTime((long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond()));
 
         if(strength.getScore() >= 4)
             return trackProgress(success().feedback("securepassword-success").output(output.toString()).build());
@@ -59,14 +68,18 @@ public class SecurePasswordsAssignment extends AssignmentEndpoint {
     }
 
     public static String calculateTime(long seconds) {
-        int day = (int) TimeUnit.SECONDS.toDays(seconds);
-        int year = day/365;
-        day = day % 365;
-        long hours = TimeUnit.SECONDS.toHours(seconds) - (day *24);
-        long minute = TimeUnit.SECONDS.toMinutes(seconds) - (TimeUnit.SECONDS.toHours(seconds)* 60);
-        long second = TimeUnit.SECONDS.toSeconds(seconds) - (TimeUnit.SECONDS.toMinutes(seconds) *60);
+        int s = 1;
+        int min = (60*s);
+        int hr = (60*min);
+        int d = (24*hr);
+        int yr = (365*d);
 
-        return (year + " years " + day + " days " + hours + " hours " + minute + " minutes " + second + " seconds");
+        long years = seconds/(d)/365;
+        long days = (seconds%yr)/(d);
+        long hours = (seconds%d)/(hr);
+        long minutes = (seconds%hr)/(min);
+        long sec = (seconds%min*s);
 
+        return (years + " years " + days + " days " + hours + " hours " + minutes + " minutes " + sec + " seconds");
     }
 }
\ No newline at end of file