Started NIST explanation

webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html

@@ -10,4 +10,8 @@
     <div class="adoc-content" th:replace="doc:SecurePasswords_1.adoc"></div>
 </div>
 
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SecurePasswords_2.adoc"></div>
+</div>
+
 </html>

webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_1.adoc

@@ -1 +1,10 @@
-== 1
+== National Institute of Standards and Technology (NIST)
+The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce.
+Its mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
+
+NIST develops Federal Information Processing Standards (FIPS) which the Secretary of Commerce approves and with which federal agencies must comply.
+
+NIST also provides guidance documents and recommendations through its Special Publications (SP) 800-series.
+These guidelines often become the foundation for best practice recommendations across the security industry and are incorporated into other standards.
+
+(Description from https://www.passwordping.com/surprising-new-password-guidelines-nist/)

webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc

@@ -0,0 +1,29 @@
+== NIST password standard
+
+The NIST password standard (also known as the https://pages.nist.gov/800-63-3/sp800-63b.html[Special Publications (SP) 800-series]) is a guideline that provides recommendations for implementing secure password systems.
+
+Here are some of the most important recommendations made by the most recent NIST standard:
+
+- *no composition rules* +
+  Do not request the user to e.g. use at least one upper case letter and a special character on their password.
+  Give them the opportunity to, but do not force them!
+- *no password hints* +
+  If you wanted people have a better chance at guessing your password, write it on a note attached to your screen.
+- *no security questions* +
+  Security questions, also known as knowledge-based authentication (KBA) are outdated.
+  Asking a user “What’s the name of your pet?” or something similar to check if it’s really him, is pretty unsecure.
+- *no unnecessary changing of passwords*
+  If you want users to comply and choose long, hard-to-guess passwords, you should not make them change those passwords unnecessarily after a certain period of time.
+- *minimum size of 8 characters* +
+  A secure password nowadays should be at LEAST 8 characters long (up to 64).
+  This is a minimum, not a maximum minimum!
+- *support all UNICODE characters* +
+  You should allow all kind of UNICODE characters in a password.
+  This also includes emojis and whitespaces.
+- *strength meter* +
+  Add a strength meter on the password creation page to help the user to choose a strong and secure password.
+- *check the password against known bad choices*
+  * passwords obtained from previous breach corpuses
+  * dictionary words
+  * repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
+  * context-specific words, such as the name of the service, the username, and derivatives thereof

webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc

@@ -1,2 +1,9 @@
 == Secure Passwords
+In this lesson the user will learn about how to create secure passwords.
+We will take a look at most important recommendations made by the NIST password standard.
+
+Goals:
+
+- The user knows how a secure password should look like and what specifications it should fulfill
+- The user has a basic understanding of how to implement a secure password system