Created the lesson with new online password checker

src/main/java/org/owasp/webgoat/lessons/PasswordStrength.java

@@ -1,8 +1,14 @@
 
 package org.owasp.webgoat.lessons;
 
-import java.util.ArrayList;
+import java.util.ArrayList; 
+import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
+import java.util.TreeMap;
+import java.util.Map.Entry;
+
+import org.apache.commons.collections.CollectionUtils;
 import org.apache.ecs.Element;
 import org.apache.ecs.ElementContainer;
 import org.apache.ecs.StringElement;
@@ -15,6 +21,7 @@ import org.apache.ecs.html.TD;
 import org.apache.ecs.html.TR;
 import org.apache.ecs.html.Table;
 import org.owasp.webgoat.session.ECSFactory;
+import org.owasp.webgoat.session.ParameterNotFoundException;
 import org.owasp.webgoat.session.WebSession;
 
 
@@ -52,6 +59,38 @@ import org.owasp.webgoat.session.WebSession;
 
 public class PasswordStrength extends LessonAdapter
 {
+	private Map<String, Password> passwords = new TreeMap<String, Password>() {{
+		put("pass1", new Password("123456", "seconds", "0", "dictionary based, in top 10 most used passwords"));
+		put("pass2", new Password("abzfezd", "seconds", "2", "26 chars on 7 positions, 8 billion possible combinations"));
+		put("pass3", new Password("a9z1ezd", "seconds", "19", "26 + 10 chars on 7 positions = 78 billion possible combinations"));
+		put("pass4", new Password("aB8fEzDq", "hours", "15", "26 + 26 + 10 chars on 8 positions = 218 trillion possible combinations"));
+		put("pass5", new Password("z8!E?7D$", "days", "20", "96 chars on 8 positions = 66 quintillion possible combinations"));
+		put("pass6", new Password("My 1st Password!: Redd", "septillion years", "322", "96 chars on 22 positions = 40 tredecillion possible combinations"));
+	}};
+	
+	private class Password {
+		
+		String password;
+		String timeUnit;
+		String answer;
+		private String explaination;
+		
+		public Password(String password, String timeUnit, String answer, String explaination) {
+			this.password = password;
+			this.timeUnit = timeUnit;
+			this.answer = answer;
+			this.explaination = explaination;
+		}
+	}
+	
+	private boolean checkSolution(WebSession s) throws ParameterNotFoundException {
+		boolean allCorrect = false;
+		for ( int i = 0; i < passwords.size(); i++ ) {
+			String key = "pass" + i;
+			allCorrect = allCorrect && s.getParser().getStringParameter(key, "").equals(passwords.get(key));
+		}
+		return allCorrect;
+	}
 
 	/**
 	 * Description of the Method
@@ -66,87 +105,37 @@ public class PasswordStrength extends LessonAdapter
 
 		try
 		{
-			if (s.getParser().getStringParameter("pass1", "").equals("0")
+			if (checkSolution(s))
-					&& s.getParser().getStringParameter("pass2", "").equals("1394")
-					&& s.getParser().getStringParameter("pass3", "").equals("5")
-					&& s.getParser().getStringParameter("pass4", "").equals("2")
-					&& s.getParser().getStringParameter("pass5", "").equals("41"))
 			{
 				makeSuccess(s);
 				ec.addElement(new StringElement("As a guideline not bound to a single solution."));
 				ec.addElement(new BR());
-				ec.addElement(new StringElement("Assuming the brute-force power of 1,000,000 hash/second: "));
+				ec.addElement(new StringElement("Assuming the calculations per second 4 billion: "));
 				ec.addElement(new BR());
 				OL ol = new OL();
-				ol.addElement(new LI("123456 - 0 seconds        (dictionary based, one of top 100)"));
+				for ( Password password : passwords.values()) {
-				ol.addElement(new LI("abzfez - up to 5 minutes  ( 26 chars on 6 positions = 26^6 seconds)"));
+					ol.addElement(new LI(String.format("%s - %s %s (%s)", password.password, password.answer, password.timeUnit, password.explaination)));
-				ol.addElement(new LI("a9z1ez - up to 40 minutes ( 26+10 chars on 6 positions = 36^6 seconds)"));
+				}
-				ol.addElement(new LI("aB8fEz - up to 16 hours   ( 26+26+10 chars on 6 positions = 62^6 seconds)"));
-				ol.addElement(new LI("z8!E?7 - up to 50 days    ( 127 chars on 6 positions = 127^6 seconds)"));
 				ec.addElement(ol);
 			} else
 			{
-
-				ec.addElement(new StringElement("How much time you need for these passwords? "));
 				ec.addElement(new BR());
+				ec.addElement(new StringElement("How much time would a desktop PC take to crack these passwords?"));
 				ec.addElement(new BR());
 				ec.addElement(new BR());
 				Table table = new Table();
-				table.addAttribute("align='center'", 0);
+				for ( Entry<String, Password> entry : passwords.entrySet()) {
-				TR tr1 = new TR();
+					TR tr = new TR();
-				TD td1 = new TD();
+					TD td1 = new TD();
-				TD td2 = new TD();
+					TD td2 = new TD();
-				Input input1 = new Input(Input.TEXT, "pass1", "");
+					Input input1 = new Input(Input.TEXT, entry.getKey(), "");
-				td1.addElement(new StringElement("Password = 123456"));
+					td1.addElement(new StringElement("Password = " + entry.getValue().password));
-				td2.addElement(input1);
+					td2.addElement(input1);
-				td2.addElement(new StringElement("seconds"));
+					td2.addElement(new StringElement("  " + entry.getValue().timeUnit));
-				tr1.addElement(td1);
+					tr.addElement(td1);
-				tr1.addElement(td2);
+					tr.addElement(td2);
-	
+					table.addElement(tr);
-				TR tr2 = new TR();
+				}
-				TD td3 = new TD();
-				TD td4 = new TD();
-				Input input2 = new Input(Input.TEXT, "pass2", "");
-				td3.addElement(new StringElement("Password = abzfez"));
-				td4.addElement(input2);
-				td4.addElement(new StringElement("seconds"));
-				tr2.addElement(td3);
-				tr2.addElement(td4);
-	
-				TR tr3 = new TR();
-				TD td5 = new TD();
-				TD td6 = new TD();
-				Input input3 = new Input(Input.TEXT, "pass3", "");
-				td5.addElement(new StringElement("Password = a9z1ez"));
-				td6.addElement(input3);
-				td6.addElement(new StringElement("hours"));
-				tr3.addElement(td5);
-				tr3.addElement(td6);
-	
-				TR tr4 = new TR();
-				TD td7 = new TD();
-				TD td8 = new TD();
-				Input input4 = new Input(Input.TEXT, "pass4", "");
-				td7.addElement(new StringElement("Password = aB8fEz"));
-				td8.addElement(input4);
-				td8.addElement(new StringElement("days"));
-				tr4.addElement(td7);
-				tr4.addElement(td8);
-	
-				TR tr5 = new TR();
-				TD td9 = new TD();
-				TD td10 = new TD();
-				Input input5 = new Input(Input.TEXT, "pass5", "");
-				td9.addElement(new StringElement("Password = z8!E?7"));
-				td10.addElement(input5);
-				td10.addElement(new StringElement("days"));
-				tr5.addElement(td9);
-				tr5.addElement(td10);
-				table.addElement(tr1);
-				table.addElement(tr2);
-				table.addElement(tr3);
-				table.addElement(tr4);
-				table.addElement(tr5);
 				ec.addElement(table);
 				ec.addElement(new BR());
 				ec.addElement(new BR());
@@ -197,9 +186,9 @@ public class PasswordStrength extends LessonAdapter
 
 	public String getInstructions(WebSession s)
 	{
-		String instructions = "The Accounts of your Webapplication are only as save as the passwords. "
+		String instructions = "The accounts of your web application are only as save as the passwords. "
-				+ "For this exercise, your job is to test several passwords on <a href=\"https://www.cnlab.ch/codecheck\" target=\"_blank\">https://www.cnlab.ch/codecheck</a>. "
+				+ "For this exercise, your job is to test several passwords on <a href=\"https://howsecureismypassword.net\" target=\"_blank\">https://howsecureismypassword.net</a>. "
-				+ " You must test all 5 passwords at the same time...<br>"
+				+ " You must test all 6 passwords at the same time...<br>"
 				+ "<b> On your applications you should set good password requirements! </b>";
 		return (instructions);
 	}

src/main/webapp/lesson_plans/English/PasswordStrength.html

@@ -7,4 +7,4 @@ Accounts are only as secure as their passwords. Most users have the same weak pa
 <!-- Stop Instructions -->
 <br>
 <p><b>General Goal(s):</b> </p>
- For this exercise, your job is to test several passwords on <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>
+ For this exercise, your job is to test several passwords on <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a>

src/main/webapp/lesson_plans/en/PasswordStrength.html

@@ -3,8 +3,8 @@
 </div>
 <p><b>Concept / Topic To Teach:</b> </p>
 <!-- Start Instructions -->
-Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the better.
+Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the sbetter.
 <!-- Stop Instructions -->
 <br>
 <p><b>General Goal(s):</b> </p>
- For this exercise, your job is to test several passwords on <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>
+ For this exercise, your job is to test several passwords on <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a>

src/main/webapp/lesson_plans/ru/PasswordStrength.html

@@ -10,4 +10,4 @@
 <!-- Stop Instructions -->
 <br>
 <p><b>Основные цели и задачи:</b> </p>
- Попробуйте проверить несколько используемых вами паролей на стойкость вот на этом сервисе - <a href="https://www.cnlab.ch/codecheck" target="_blank">https://www.cnlab.ch/codecheck</a>
+ Попробуйте проверить несколько используемых вами паролей на стойкость вот на этом сервисе - <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a>