diff --git a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java
index b8d9d3ce9..7b62abd88 100644
--- a/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java
+++ b/webgoat-integration-tests/src/test/java/org/owasp/webgoat/ChallengeTest.java
@@ -3,6 +3,7 @@ package org.owasp.webgoat;
 
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
+import java.util.Arrays;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -10,6 +11,8 @@ import java.util.Map;
 import org.junit.jupiter.api.Test;
 
 import io.restassured.RestAssured;
+import static org.owasp.webgoat.challenges.SolutionConstants.PASSWORD;
+
 
 public class ChallengeTest extends IntegrationTest {
 	
@@ -17,10 +20,21 @@ public class ChallengeTest extends IntegrationTest {
     public void testChallenge1() {
     	startLesson("Challenge1");      
     	
+    	byte[] resultBytes = 
+        		RestAssured.given()
+                .when()
+                .relaxedHTTPSValidation()
+                .cookie("JSESSIONID", getWebGoatCookie())
+                .get(url("/WebGoat/challenge/logo"))
+                .then()
+                .statusCode(200)
+                .extract().asByteArray();
+    	
+    	String pincode = new String(Arrays.copyOfRange(resultBytes, 81216, 81220));
     	Map<String, Object> params = new HashMap<>();
         params.clear();
         params.put("username", "admin");
-        params.put("password", "!!webgoat_admin_1234!!");
+        params.put("password", PASSWORD.replace("1234", pincode));
        
     	
         checkAssignment(url("/WebGoat/challenge/1"), params, true);
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java
index 4c2d0d683..efc885798 100644
--- a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/Assignment1.java
@@ -46,7 +46,7 @@ public class Assignment1 extends AssignmentEndpoint {
     @ResponseBody
     public AttackResult completed(@RequestParam String username, @RequestParam String password, HttpServletRequest request) {
         boolean ipAddressKnown =  true;
-        boolean passwordCorrect = "admin".equals(username) && PASSWORD.equals(password);
+        boolean passwordCorrect = "admin".equals(username) && PASSWORD.replace("1234", String.format("%04d",ImageServlet.PINCODE)).equals(password);
         if (passwordCorrect && ipAddressKnown) {
             return success(this).feedback("challenge.solved").feedbackArgs(Flag.FLAGS.get(1)).build();
         } else if (passwordCorrect) {
diff --git a/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/ImageServlet.java b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/ImageServlet.java
new file mode 100644
index 000000000..a8b1165d8
--- /dev/null
+++ b/webgoat-lessons/challenge/src/main/java/org/owasp/webgoat/challenges/challenge1/ImageServlet.java
@@ -0,0 +1,44 @@
+package org.owasp.webgoat.challenges.challenge1;
+
+import java.io.IOException;
+import java.security.SecureRandom;
+
+import javax.servlet.ServletException;
+import javax.servlet.annotation.WebServlet;
+import javax.servlet.http.HttpServlet;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.core.io.ClassPathResource;
+import org.springframework.http.MediaType;
+import org.springframework.util.FileCopyUtils;
+
+@WebServlet(name = "ImageServlet", urlPatterns = "/challenge/logo")
+public class ImageServlet extends HttpServlet {
+	
+	private static final long serialVersionUID = 9132775506936676850L;
+	static final public int PINCODE = new SecureRandom().nextInt(10000);
+
+	@Override
+	protected void doGet(HttpServletRequest request, HttpServletResponse response)
+			throws ServletException, IOException {
+		
+		byte[] in = new ClassPathResource("images/webgoat2.png").getInputStream().readAllBytes();
+		
+		String pincode = String.format("%04d", PINCODE);
+		
+		in[81216]=(byte) pincode.charAt(0);
+		in[81217]=(byte) pincode.charAt(1);
+		in[81218]=(byte) pincode.charAt(2);
+		in[81219]=(byte) pincode.charAt(3);
+		
+	    response.setContentType(MediaType.IMAGE_PNG_VALUE);
+	    FileCopyUtils.copy(in, response.getOutputStream());
+	}
+
+	@Override
+	protected void doPost(HttpServletRequest request, HttpServletResponse response)
+			throws ServletException, IOException {
+		doGet(request, response);
+	}
+}
\ No newline at end of file
diff --git a/webgoat-lessons/challenge/src/main/resources/html/Challenge1.html b/webgoat-lessons/challenge/src/main/resources/html/Challenge1.html
index a23d343db..0f1d32fc9 100644
--- a/webgoat-lessons/challenge/src/main/resources/html/Challenge1.html
+++ b/webgoat-lessons/challenge/src/main/resources/html/Challenge1.html
@@ -12,7 +12,7 @@
         <div class="container-fluid">
             <div class="panel panel-default">
                 <div class="panel-heading">
-                    <img th:src="@{/images/webgoat2.png}" class="img-thumbnail"/>
+                    <img th:src="@{/challenge/logo}" class="img-thumbnail"/>
                 </div>
                 <div class="panel-body">
                     <form class="attack-form" accept-charset="UNKNOWN"
diff --git a/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/challenges/Assignment1Test.java b/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/challenges/Assignment1Test.java
index b81ef7912..438029b2e 100644
--- a/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/challenges/Assignment1Test.java
+++ b/webgoat-lessons/challenge/src/test/java/org/owasp/webgoat/challenges/Assignment1Test.java
@@ -29,12 +29,14 @@ import org.junit.runner.RunWith;
 import org.mockito.junit.MockitoJUnitRunner;
 import org.owasp.webgoat.assignments.AssignmentEndpointTest;
 import org.owasp.webgoat.challenges.challenge1.Assignment1;
+import org.owasp.webgoat.challenges.challenge1.ImageServlet;
 import org.springframework.test.web.servlet.MockMvc;
 import org.springframework.test.web.servlet.request.MockMvcRequestBuilders;
 
 import java.net.InetAddress;
 
 import static org.mockito.Mockito.when;
+import static org.owasp.webgoat.challenges.SolutionConstants.PASSWORD;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
 import static org.springframework.test.web.servlet.setup.MockMvcBuilders.standaloneSetup;
 
@@ -62,7 +64,7 @@ public class Assignment1Test extends AssignmentEndpointTest {
         mockMvc.perform(MockMvcRequestBuilders.post("/challenge/1")
                 .header("X-Forwarded-For", host)
                 .param("username", "admin")
-                .param("password", SolutionConstants.PASSWORD))
+                .param("password", SolutionConstants.PASSWORD.replace("1234", String.format("%04d",ImageServlet.PINCODE))))
                 .andExpect(jsonPath("$.feedback", CoreMatchers.containsString("flag: " + Flag.FLAGS.get(1))))
                 .andExpect(jsonPath("$.lessonCompleted", CoreMatchers.is(true)));
     }
diff --git a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
index 68b24076c..1d2423ac7 100644
--- a/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
+++ b/webgoat-server/src/main/java/org/owasp/webgoat/StartWebGoat.java
@@ -28,6 +28,7 @@ package org.owasp.webgoat;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.boot.web.servlet.ServletComponentScan;
 import org.springframework.boot.web.servlet.support.SpringBootServletInitializer;
 import org.springframework.util.StringUtils;
 
@@ -38,6 +39,7 @@ import org.springframework.util.StringUtils;
  * @date 2/21/17
  */
 @SpringBootApplication(scanBasePackages = "org.owasp.webgoat")
+@ServletComponentScan
 @Slf4j
 public class StartWebGoat extends SpringBootServletInitializer {