diff --git a/src/main/java/org/owasp/webgoat/lessons/PasswordStrength.java b/src/main/java/org/owasp/webgoat/lessons/PasswordStrength.java
index c7130c8aa..c9549b8d5 100644
--- a/src/main/java/org/owasp/webgoat/lessons/PasswordStrength.java
+++ b/src/main/java/org/owasp/webgoat/lessons/PasswordStrength.java
@@ -84,10 +84,10 @@ public class PasswordStrength extends LessonAdapter
 	}
 	
 	private boolean checkSolution(WebSession s) throws ParameterNotFoundException {
-		boolean allCorrect = false;
-		for ( int i = 0; i < passwords.size(); i++ ) {
+		boolean allCorrect = true;
+		for ( int i = 1; i <= passwords.size(); i++ ) {
 			String key = "pass" + i;
-			allCorrect = allCorrect && s.getParser().getStringParameter(key, "").equals(passwords.get(key));
+			allCorrect = allCorrect && s.getParser().getStringParameter(key, "").equals(passwords.get(key).answer);
 		}
 		return allCorrect;
 	}
@@ -108,6 +108,7 @@ public class PasswordStrength extends LessonAdapter
 			if (checkSolution(s))
 			{
 				makeSuccess(s);
+				ec.addElement(new BR());
 				ec.addElement(new StringElement("As a guideline not bound to a single solution."));
 				ec.addElement(new BR());
 				ec.addElement(new StringElement("Assuming the calculations per second 4 billion: "));
diff --git a/src/main/webapp/lesson_plans/English/PasswordStrength.html b/src/main/webapp/lesson_plans/English/PasswordStrength.html
index 94d61aedc..f700fb8fd 100644
--- a/src/main/webapp/lesson_plans/English/PasswordStrength.html
+++ b/src/main/webapp/lesson_plans/English/PasswordStrength.html
@@ -3,8 +3,9 @@
 </div>
 <p><b>Concept / Topic To Teach:</b> </p>
 <!-- Start Instructions -->
-Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals and numbers. The longer the password, the better.
+Accounts are only as secure as their passwords. Most users have the same weak password everywhere. If you want to protect them against brute-force-attacks your application should have good requirements for passwords. The password should contain lower case letters, capitals, numbers and special characters. The longer the password, the better, consider using a passphrase instead. For 
+more information see: <a href="https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Implement_Proper_Password_Strength_Controls" target="_blank">OWASP proper password strength</a>. 
 <!-- Stop Instructions -->
-<br>
+<br/><br/>
 <p><b>General Goal(s):</b> </p>
  For this exercise, your job is to test several passwords on <a href="https://howsecureismypassword.net/" target="_blank">https://howsecureismypassword.net/</a>
\ No newline at end of file