bug(passwords): fix situations where better password rules inadvertently break tests

* use bang version of save methods in the seeds file, so that when you fix validation,
  it will at least explode, rather than silently failing to create users
* fix two tests where passwords are hardcoded so that they use stronger passwords,
  since password complexity is not the important bit of either of those tests.

db/seeds.rb

@@ -267,43 +267,43 @@ paid_time_off = [
 users.each do |user_info|
   user = User.new(user_info.reject {|k| k == :user_id })
   user.user_id = user_info[:user_id]
-  user.save
+  user.save!
 end
 
 retirements.each do |r|
  ret = Retirement.new(r.reject {|k| k == :user_id})
  ret.user_id = r[:user_id]
- ret.save
+ ret.save!
 end
 
 paid_time_off.each do |pto|
   ptoff = PaidTimeOff.new(pto.reject {|k| k == :user_id})
   ptoff.user_id = pto[:user_id]
-  ptoff.save
+  ptoff.save!
 end
 
 schedule.each do |event|
   sched = Schedule.new(event.reject {|k| k == :user_id})
   sched.user_id = event[:user_id]
-  sched.save
+  sched.save!
 end
 
 performance.each do |perf|
   p = Performance.new(perf.reject {|k| k == :user_id})
   p.user_id = perf[:user_id]
-  p.save
+  p.save!
 end
 
 messages.each do |message|
   m = Message.new(message.reject {|k| k == :creator_id})
   m.creator_id = message[:creator_id]
-  m.save
+  m.save!
 end
 
 work_info.each do |wi|
   info = WorkInfo.new(wi.reject {|k| k == :user_id } )
   info.user_id = wi[:user_id]
-  info.save
+  info.save!
 end
 
 

spec/vulnerabilities/password_hashing_spec.rb

@@ -7,7 +7,7 @@ feature 'improper password hashing' do
   end
 
   scenario "with just md5\nTutorial: https://github.com/OWASP/railsgoat/wiki/A6-Sensitive-Data-Exposure-Insecure-Password-Storage" do
-    new_pass = 'testpassword'
+    new_pass = 'testPassw0rd!'
     @normal_user.password = new_pass
     @normal_user.password_confirmation = new_pass
     @normal_user.save

spec/vulnerabilities/sql_injection_spec.rb

@@ -7,7 +7,7 @@ feature 'sql injection' do
     @admin_user = User.where("admin='t'").first
   end
 
-  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R5-A1-SQL-Injection-Concatentation" do
+  scenario "attack\nTutorial: https://github.com/OWASP/railsgoat/wiki/R4-A1-SQL-Injection-Concatentation" do
     expect(@admin_user.admin).to be_truthy
 
     login(@normal_user)
@@ -15,8 +15,8 @@ feature 'sql injection' do
     visit "/users/#{@normal_user.user_id}/account_settings"
     within('#account_edit') do
       fill_in 'Email', :with => 'joe.admin@schmoe.com'
-      fill_in 'user_password', :with => 'hacketyhack'
+      fill_in 'user_password', :with => 'H4cketyhack'
-      fill_in 'user_password_confirmation', :with => 'hacketyhack'
+      fill_in 'user_password_confirmation', :with => 'H4cketyhack'
 
       # this is a hidden field, so cannot use fill_in to access it.
       find(:xpath, "//input[@id='user_user_id']", :visible => false).set "8' OR admin='t') --"