From 72e13889d0a02e6be40e3135f4fd7ae734ba0800 Mon Sep 17 00:00:00 2001
From: Benedikt - Desktop <benedikt.stuhrmann@gmail.com>
Date: Sun, 2 Dec 2018 18:28:46 +0100
Subject: [PATCH] Started NIST explanation

---
 .../main/resources/html/SecurePasswords.html  |  4 +++
 .../lessonPlans/en/SecurePasswords_1.adoc     | 11 ++++++-
 .../lessonPlans/en/SecurePasswords_2.adoc     | 29 +++++++++++++++++++
 .../lessonPlans/en/SecurePasswords_intro.adoc |  7 +++++
 4 files changed, 50 insertions(+), 1 deletion(-)
 create mode 100644 webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc

diff --git a/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html b/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html
index 999524d90..f5cdb02b8 100644
--- a/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html
+++ b/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html
@@ -10,4 +10,8 @@
     <div class="adoc-content" th:replace="doc:SecurePasswords_1.adoc"></div>
 </div>
 
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SecurePasswords_2.adoc"></div>
+</div>
+
 </html>
\ No newline at end of file
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_1.adoc b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_1.adoc
index 0aee77ef3..dc5c149b3 100644
--- a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_1.adoc
+++ b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_1.adoc
@@ -1 +1,10 @@
-== 1
\ No newline at end of file
+== National Institute of Standards and Technology (NIST)
+The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce.
+Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
+
+NIST develops Federal Information Processing Standards (FIPS) which the Secretary of Commerce approves and with which federal agencies must comply.
+
+NIST also provides guidance documents and recommendations through its Special Publications (SP) 800-series.
+These guidelines often become the foundation for best practice recommendations across the security industry and are incorporated into other standards.
+
+(Description from https://www.passwordping.com/surprising-new-password-guidelines-nist/)
\ No newline at end of file
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc
new file mode 100644
index 000000000..d3f94ef7e
--- /dev/null
+++ b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc
@@ -0,0 +1,29 @@
+== NIST password standard
+
+The NIST password standard (also known as the https://pages.nist.gov/800-63-3/sp800-63b.html[Special Publications (SP) 800-series]) is a guideline that provides recommendations for implementing secure password systems.
+
+Here are some of the most important recommendations made by the most recent NIST standard:
+
+- *no composition rules* +
+  Do not request the user to e.g. use at least one upper case letter and a special character on their password.
+  Give them the opportunity to, but do not force them!
+- *no password hints* +
+  If you wanted people have a better chance at guessing your password, write it on a note attached to your screen.
+- *no security questions* +
+  Security questions, also known as knowledge-based authentication (KBA) are outdated.
+  Asking a user “What’s the name of your pet?” or something similar to check if it’s really him, is pretty unsecure.
+- *no unnecessary changing of passwords*
+  If you want users to comply and choose long, hard-to-guess passwords, you should not make them change those passwords unnecessarily after a certain period of time.
+- *minimum size of 8 characters* +
+  A secure password nowadays should be at LEAST 8 characters long (up to 64).
+  This is a minimum, not a maximum minimum!
+- *support all UNICODE characters* +
+  You should allow all kind of UNICODE characters in a password.
+  This also includes emojis and whitespaces.
+- *strength meter* +
+  Add a strength meter on the password creation page to help the user to choose a strong and secure password.
+- *check the password against known bad choices*
+  * passwords obtained from previous breach corpuses
+  * dictionary words
+  * repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
+  * context-specific words, such as the name of the service, the username, and derivatives thereof
\ No newline at end of file
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc
index 2905477dc..8bdde03ed 100644
--- a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc
+++ b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc
@@ -1,2 +1,9 @@
 == Secure Passwords
+In this lesson the user will learn about how to create secure passwords.
+We will take a look at most important recommendations made by the NIST password standard.
+
+Goals:
+
+- The user knows how a secure password should look like and what specifications it should fulfill
+- The user has a basic understanding of how to implement a secure password system