From 94b936036a0b9573b6adcbd3bda1fa84a4f6a5d7 Mon Sep 17 00:00:00 2001
From: Benedikt - Desktop <benedikt.stuhrmann@gmail.com>
Date: Mon, 3 Dec 2018 11:25:55 +0100
Subject: [PATCH] Added explanations for creating and storing passwords.

---
 .../main/resources/html/SecurePasswords.html  |  8 +++++
 .../resources/i18n/WebGoatLabels.properties   |  2 +-
 .../lessonPlans/en/SecurePasswords_2.adoc     | 15 ++++++++-
 .../lessonPlans/en/SecurePasswords_3.adoc     | 19 +++++++++++
 .../lessonPlans/en/SecurePasswords_4.adoc     | 33 +++++++++++++++++++
 .../lessonPlans/en/SecurePasswords_intro.adoc |  7 ++--
 6 files changed, 78 insertions(+), 6 deletions(-)
 create mode 100644 webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_3.adoc
 create mode 100644 webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_4.adoc

diff --git a/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html b/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html
index f5cdb02b8..f64694f41 100644
--- a/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html
+++ b/webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html
@@ -14,4 +14,12 @@
     <div class="adoc-content" th:replace="doc:SecurePasswords_2.adoc"></div>
 </div>
 
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SecurePasswords_3.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SecurePasswords_4.adoc"></div>
+</div>
+
 </html>
\ No newline at end of file
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/i18n/WebGoatLabels.properties b/webgoat-lessons/secure-passwords/src/main/resources/i18n/WebGoatLabels.properties
index 02f2a60ef..72e901870 100644
--- a/webgoat-lessons/secure-passwords/src/main/resources/i18n/WebGoatLabels.properties
+++ b/webgoat-lessons/secure-passwords/src/main/resources/i18n/WebGoatLabels.properties
@@ -1 +1 @@
-secure-passwords.title=Secure Passwords
+secure-passwords.title=Secure Passwords
\ No newline at end of file
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc
index d3f94ef7e..3abc649f8 100644
--- a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc
+++ b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc
@@ -2,6 +2,7 @@
 
 The NIST password standard (also known as the https://pages.nist.gov/800-63-3/sp800-63b.html[Special Publications (SP) 800-series]) is a guideline that provides recommendations for implementing secure password systems.
 
+=== Password rules
 Here are some of the most important recommendations made by the most recent NIST standard:
 
 - *no composition rules* +
@@ -26,4 +27,16 @@ Here are some of the most important recommendations made by the most recent NIST
   * passwords obtained from previous breach corpuses
   * dictionary words
   * repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
-  * context-specific words, such as the name of the service, the username, and derivatives thereof
\ No newline at end of file
+  * context-specific words, such as the name of the service, the username, and derivatives thereof
+
+=== Usability
+
+Besides the recommendations above, the NIST standard also recommends to increase the usability of password forms to increase the likelihood of users choosing a strong and secure password. Some of those are:
+
+- *allow pasting into the password input* +
+  Users should be able to use the "paste" functionality when entering a password.
+  Since this facilitates the use of password managers, it also increases the likelihood that the user will choose a strong password.
+- *allow to display the password* +
+  Password inputs should have an option to display the entered password to assist the user in successfully entering a password.
+- *offer a strength meter* +
+  Add a strength meter on the password creation page to help the user to choose a strong and secure password.
\ No newline at end of file
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_3.adoc b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_3.adoc
new file mode 100644
index 000000000..128fbb710
--- /dev/null
+++ b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_3.adoc
@@ -0,0 +1,19 @@
+== Are your passwords secure?
+
+What about you? Are your passwords secure?
+
+There are websites that allow to test if one of your accounts got breached in a past data breach. +
+Go to https://haveibeenpwned.com/Passwords[Have I Been Pwned] or https://www.dehashed.com/[DEHASHED] per example and test if your account got breached.
+If so, better change your passwords *right now*!
+
+=== What can you do to improve security of your account?
+- *use different passwords for different accounts* +
+  It is a good thing to NOT use the same password for multiple accounts but rather to use different passwords for each one.
+  * *use passphrases* +
+  Use passphrase generators like https://www.rempe.us/diceware/#eff[Diceware] to generate passphrases.
+  Passphrases are passwords made out of a number of words instead of randomly generated character sequences.
+  This makes them way easier to remember for us human beings. And by the way: The longer the better!
+  * *use a password manager* +
+  If you can't remember all of your different passwords, use a password manager to create an then securely store your passwords.
+- *use two factor authentication* +
+  If possible, use two factor authentication methods to add an extra layer of security to your accounts.
\ No newline at end of file
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_4.adoc b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_4.adoc
new file mode 100644
index 000000000..5b2523689
--- /dev/null
+++ b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_4.adoc
@@ -0,0 +1,33 @@
+== Storing passwords
+
+After a strong and secure password was created, it also has to be stored in a secure way.
+The NIST gives recommendations on how applications should handle passwords and how to store them securely.
+
+=== How should a password be stored?
+
+- first of all: *use encryption and a protected channel for requesting passwords* +
+  The verifier shall use approved encryption and an authenticated protected channel when requesting memorized secrets
+  in order to provide resistance to eavesdropping and MitM (Man-in-the-middle) attacks.
+- *resistant to offline attacks* +
+  Passwords should be stored in a form that is resistant to offline attacks.
+- *use salts* +
+  Passwords should be salted before storing them.
+  The salt shall have at least 32 bits in length and should be chosen arbitrarily so as to minimize salt value collisions among stored hashes.
+- *use hashing* +
+  Before storing a password it should be hashed with a one way key derivation function.
+  The function takes the password, the salt and a cost factor as inputs and then generates a password hash. +
+  Examples of suitable key derivation functions:
+  * Password-based Key Derivation Function 2 (https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132[PBKDF2]) (as large as possible => at least 10.000 iterations)
+  * https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132[BALLOON]
+  * The key derivation function shall use an approved one-way function such as:
+    ** Keyed Hash Message Authentication Code (https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS198-1[HMAC])
+    ** any approved hash function in https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-107[SP 800-107]
+    ** Secure Hash Algorithm 3 (https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS202[SHA-3])
+    ** https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-38B[CMAC]
+    ** Keccak Message Authentication Code (KMAC)
+    ** Customizable SHAKE (cSHAKE)
+    ** https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-185[ParallelHash]
+- *memory hard key derivation function* +
+  Use memory hard key derivation functions to further increase the needed cost to perform attacks.
+- *high cost factor* +
+  The cost factor (iteration count) of the key derivation function should be as large as verification server performance will allow. (at least 10.000 iterations)
\ No newline at end of file
diff --git a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc
index 8bdde03ed..be98460a6 100644
--- a/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc
+++ b/webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc
@@ -1,9 +1,8 @@
 == Secure Passwords
-In this lesson the user will learn about how to create secure passwords.
+In this lesson the user will learn about how to create strong passwords and how to store them in a secure way.
 We will take a look at most important recommendations made by the NIST password standard.
 
 Goals:
 
-- The user knows how a secure password should look like and what specifications it should fulfill
-- The user has a basic understanding of how to implement a secure password system
-
+- The user knows how a strong password should look like and what specifications it should fulfill
+- The user has a basic overview of what to pay attention to when developing an application that stores passwords
\ No newline at end of file