diff --git a/app/assets/stylesheets/application.scss b/app/assets/stylesheets/application.scss
index 3192ec8..67bee38 100755
--- a/app/assets/stylesheets/application.scss
+++ b/app/assets/stylesheets/application.scss
@@ -11,3 +11,8 @@
  *= require_self
  *= require_tree .
  */
+
+p.desc {
+max-width: 850px;		
+word-wrap: break-word;
+}
\ No newline at end of file
diff --git a/app/views/layouts/tutorial/broken_auth_sess/_user_pass_enum.html.erb b/app/views/layouts/tutorial/broken_auth_sess/_user_pass_enum.html.erb
index 92005fb..8d79d13 100644
--- a/app/views/layouts/tutorial/broken_auth_sess/_user_pass_enum.html.erb
+++ b/app/views/layouts/tutorial/broken_auth_sess/_user_pass_enum.html.erb
@@ -16,7 +16,7 @@
           </div>
           <div class="accordion-body in collapse" id="collapseOne" style="height: auto;">
             <div class="accordion-inner">
-              <p>
+              <p class="desc">
 				Overly verbose error messages that indicate whether or not a user exists can assist an attacker with brute-forcing accounts. In attempting to harvest valid usernames for a password-guessing campaign, these messages can prove very useful.
 			  </p>
             </div>
@@ -53,7 +53,9 @@
 					       	return auth
 					   end
 					  </pre>
-			 		
+			  <p class="desc">
+				On lines 9 and 12 you'll notice that the application generates two error messages. One indicates the email address (username) doesn't exist on the system. The other indicates that the password is incorrect. Although the application will render both error messages, either one of the error messages would be harmful by itself. This type of information can be used by an attacker to harvest email addresses or usernames. Once that list is gathered, passwords can be guessed for each account. If the username being enumerated is actually an email address, a phishing campaign could ensue with emails made to look like they are originating from the vulnerable site.
+			  </p>		
             </div>
           </div>
         </div>