finished the writeup for password complexity

app/models/user.rb

@@ -4,7 +4,8 @@ class User < ActiveRecord::Base
   validates :password, :presence => true,
                        :confirmation => true,
                        :length => {:within => 6..40},
-                       :on => :create
+                       :on => :create#,
+                       #:format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}
   validates_presence_of :email
   validates_uniqueness_of :email
   validates_format_of :email, :with => /.+@.+\..+/i

app/views/layouts/tutorial/broken_auth_sess/_password_complexity.html.erb

@@ -0,0 +1,100 @@
+<div class="widget">
+    <div class="widget-header">
+      <div class="title">
+        <span class="fs1" aria-hidden="true" data-icon="&#xe092;"></span> A3 - Broken Authentication and Session Management - Lack of Password Complexity
+      </div>
+    </div>
+    <div class="widget-body">
+      <div id="accordion1" class="accordion no-margin">
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapsePwdOne" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-info icon-white">
+              </i>
+              Description
+            </a>
+          </div>
+          <div class="accordion-body in collapse" id="collapsePwdOne" style="height: auto;">
+            <div class="accordion-inner">
+              <p class="desc">
+			 	Password complexity is incredibly important and highly debated subject. Other factors play a part in the stringency of the enforcement policy applied. If a username can be enumerated, a CAPTCHA on the login form is not present or other methods to deter a brute-force password guessing campaign are not in place, at least password complexity enforcement policy can make it a that much more difficult for an attacker to guess users passwords.
+			  </p>
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapsePwdTwo" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-bug icon-white">
+              </i>
+              Bug
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapsePwdTwo" style="height: 0px;">
+            <div class="accordion-inner">
+	          <p>
+              Within app/models/User.rb
+              </p>
+			  <pre class="ruby">
+				validates :password, :presence => true,
+			                       :confirmation => true,
+			                       :length => {:within => 6..40},
+			                       :on => :create
+			  </pre>
+			  <p class="desc">
+				The application validates only the password length and nothing else. Developers can leverage the format option to apply a regular expression that checks the password has sufficient complexity.
+			  </p>		
+            </div>
+          </div>
+        </div>
+        <div class="accordion-group">
+          <div class="accordion-heading">
+            <a href="#collapsePwdThree" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-lightning icon-white">
+              </i>
+              Solution
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapsePwdThree" style="height: 0px;">
+            <div class="accordion-inner">
+              <p><b>Lack of Password Complexity - ATTACK</b></p>
+  			  <p class="desc">
+	          	Leverage a tool such as BurpSuite's intruder to brute-force the passwords of the users. The highest privileged account that you an attacker can compromise is the admin. The password is very simple ("admin1234"), username is ("admin@metacorp.com").
+			  </p> 
+			  <p><b>Lack of Password Complexity - SOLUTION</b></p>
+			  <p class="desc">
+				This regular expression validates the password has the following requirements:
+				<li>1 digit</li>
+				<li>1 lowercase alphabet</li>
+				<li>1 uppercase alphabet</li>
+				<li>1 special character</li>
+			  </p>	
+			  <pre class="ruby">
+				  validates :password, :presence => true,
+				                       :confirmation => true,
+				                       :length => {:within => 6..40},
+				                       :on => :create,
+				                       <span style="background-color: yellow">:format => {:with => /\A.*(?=.{10,})(?=.*\d)(?=.*[a-z])(?=.*[A-Z])(?=.*[\@\#\$\%\^\&\+\=]).*\z/}</span>
+			  </pre>	
+            </div>
+          </div>
+        </div>
+		<div class="accordion-group">
+          <div class="accordion-heading">
+            <a  style="background-color: rgb(181, 121, 158)" href="#collapsePwdFour" data-parent="#accordion1" data-toggle="collapse" class="accordion-toggle">
+              <i class="icon-aid icon-white">
+              </i>
+              Hint
+            </a>
+          </div>
+          <div class="accordion-body collapse" id="collapsePwdFour" style="height: 0px;">
+            <div class="accordion-inner">
+				<p class="desc">
+					I wonder how strong the administrator's password is?
+				</p>	
+             </div>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>

app/views/tutorials/broken_auth.html.erb

@@ -5,6 +5,11 @@
 		      <%= render :partial => ("layouts/tutorial/broken_auth_sess/user_pass_enum")%>
 		    </div> <!-- End Span12-->
 		</div>
+		<div class="row-fluid">
+		    <div class="span12">
+		      <%= render :partial => ("layouts/tutorial/broken_auth_sess/password_complexity")%>
+		    </div> <!-- End Span12-->
+		</div>
 	</div>
 </div>