Added explanations for creating and storing passwords.

webgoat-lessons/secure-passwords/src/main/resources/html/SecurePasswords.html

@@ -14,4 +14,12 @@
     <div class="adoc-content" th:replace="doc:SecurePasswords_2.adoc"></div>
 </div>
 
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SecurePasswords_3.adoc"></div>
+</div>
+
+<div class="lesson-page-wrapper">
+    <div class="adoc-content" th:replace="doc:SecurePasswords_4.adoc"></div>
+</div>
+
 </html>

webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_2.adoc

@@ -2,6 +2,7 @@
 
 The NIST password standard (also known as the https://pages.nist.gov/800-63-3/sp800-63b.html[Special Publications (SP) 800-series]) is a guideline that provides recommendations for implementing secure password systems.
 
+=== Password rules
 Here are some of the most important recommendations made by the most recent NIST standard:
 
 - *no composition rules* +
@@ -27,3 +28,15 @@ Here are some of the most important recommendations made by the most recent NIST
   * dictionary words
   * repetitive or sequential characters (e.g. ‘aaaaaa’, ‘1234abcd’)
   * context-specific words, such as the name of the service, the username, and derivatives thereof
+
+=== Usability
+
+Besides the recommendations above, the NIST standard also recommends to increase the usability of password forms to increase the likelihood of users choosing a strong and secure password. Some of those are:
+
+- *allow pasting into the password input* +
+  Users should be able to use the "paste" functionality when entering a password.
+  Since this facilitates the use of password managers, it also increases the likelihood that the user will choose a strong password.
+- *allow to display the password* +
+  Password inputs should have an option to display the entered password to assist the user in successfully entering a password.
+- *offer a strength meter* +
+  Add a strength meter on the password creation page to help the user to choose a strong and secure password.

webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_3.adoc

@@ -0,0 +1,19 @@
+== Are your passwords secure?
+
+What about you? Are your passwords secure?
+
+There are websites that allow to test if one of your accounts got breached in a past data breach. +
+Go to https://haveibeenpwned.com/Passwords[Have I Been Pwned] or https://www.dehashed.com/[DEHASHED] per example and test if your account got breached.
+If so, better change your passwords *right now*!
+
+=== What can you do to improve security of your account?
+- *use different passwords for different accounts* +
+  It is a good thing to NOT use the same password for multiple accounts but rather to use different passwords for each one.
+  * *use passphrases* +
+  Use passphrase generators like https://www.rempe.us/diceware/#eff[Diceware] to generate passphrases.
+  Passphrases are passwords made out of a number of words instead of randomly generated character sequences.
+  This makes them way easier to remember for us human beings. And by the way: The longer the better!
+  * *use a password manager* +
+  If you can't remember all of your different passwords, use a password manager to create an then securely store your passwords.
+- *use two factor authentication* +
+  If possible, use two factor authentication methods to add an extra layer of security to your accounts.

webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_4.adoc

@@ -0,0 +1,33 @@
+== Storing passwords
+
+After a strong and secure password was created, it also has to be stored in a secure way.
+The NIST gives recommendations on how applications should handle passwords and how to store them securely.
+
+=== How should a password be stored?
+
+- first of all: *use encryption and a protected channel for requesting passwords* +
+  The verifier shall use approved encryption and an authenticated protected channel when requesting memorized secrets
+  in order to provide resistance to eavesdropping and MitM (Man-in-the-middle) attacks.
+- *resistant to offline attacks* +
+  Passwords should be stored in a form that is resistant to offline attacks.
+- *use salts* +
+  Passwords should be salted before storing them.
+  The salt shall have at least 32 bits in length and should be chosen arbitrarily so as to minimize salt value collisions among stored hashes.
+- *use hashing* +
+  Before storing a password it should be hashed with a one way key derivation function.
+  The function takes the password, the salt and a cost factor as inputs and then generates a password hash. +
+  Examples of suitable key derivation functions:
+  * Password-based Key Derivation Function 2 (https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132[PBKDF2]) (as large as possible => at least 10.000 iterations)
+  * https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-132[BALLOON]
+  * The key derivation function shall use an approved one-way function such as:
+    ** Keyed Hash Message Authentication Code (https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS198-1[HMAC])
+    ** any approved hash function in https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-107[SP 800-107]
+    ** Secure Hash Algorithm 3 (https://pages.nist.gov/800-63-3/sp800-63b.html#FIPS202[SHA-3])
+    ** https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-38B[CMAC]
+    ** Keccak Message Authentication Code (KMAC)
+    ** Customizable SHAKE (cSHAKE)
+    ** https://pages.nist.gov/800-63-3/sp800-63b.html#SP800-185[ParallelHash]
+- *memory hard key derivation function* +
+  Use memory hard key derivation functions to further increase the needed cost to perform attacks.
+- *high cost factor* +
+  The cost factor (iteration count) of the key derivation function should be as large as verification server performance will allow. (at least 10.000 iterations)

webgoat-lessons/secure-passwords/src/main/resources/lessonPlans/en/SecurePasswords_intro.adoc

@@ -1,9 +1,8 @@
 == Secure Passwords
-In this lesson the user will learn about how to create secure passwords.
+In this lesson the user will learn about how to create strong passwords and how to store them in a secure way.
 We will take a look at most important recommendations made by the NIST password standard.
 
 Goals:
 
-- The user knows how a secure password should look like and what specifications it should fulfill
-- The user has a basic understanding of how to implement a secure password system
-
+- The user knows how a strong password should look like and what specifications it should fulfill
+- The user has a basic overview of what to pay attention to when developing an application that stores passwords