diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ef44eb9a3e..ddeafa5ca1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -36,7 +36,7 @@ jobs:
         strategy:
             fail-fast: true
             matrix:
-                os: [ windows-latest, ubuntu-latest, macos-13 ]
+                os: [ windows-latest, ubuntu-latest, macos-15-intel ]
             max-parallel: 1
         steps:
             -   uses: actions/checkout@v4.1.6
diff --git a/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
index c25f045c28..b402b6380d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
@@ -59,6 +59,10 @@ public AttackResult completed(@RequestParam String password) {
             + calculateTime(
                 (long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond())
             + "</br>");
+      output.append(
+              "<i>Note:</i> This estimate assumes brute-force attack and does not account for "
+                      + "dictionary or rule-based attacks, which can significantly reduce real-world cracking time "
+                      + "for common phrases.</br>");
     if (strength.getFeedback().getWarning().length() != 0)
       output.append("<b>Warning: </b>" + strength.getFeedback().getWarning() + "</br>");
     // possible feedback: https://github.com/dropbox/zxcvbn/blob/master/src/feedback.coffee