From 8cc4162d7a1e127bedc042e47e9814a9fc25bab8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=80ngel=20Oll=C3=A9=20Bl=C3=A1zquez?= <angel@olleb.com>
Date: Sun, 8 Feb 2026 19:50:54 +0100
Subject: [PATCH 1/2] ci: update macos runner to macos-15-intel

* ci: update macos runner to macos-15-intel
---
 .github/workflows/build.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ef44eb9a3e..ddeafa5ca1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -36,7 +36,7 @@ jobs:
         strategy:
             fail-fast: true
             matrix:
-                os: [ windows-latest, ubuntu-latest, macos-13 ]
+                os: [ windows-latest, ubuntu-latest, macos-15-intel ]
             max-parallel: 1
         steps:
             -   uses: actions/checkout@v4.1.6

From 7d3343d08c360d4751e5298e1fe910463b7731a1 Mon Sep 17 00:00:00 2001
From: Shourya Thakur <shourya.thakur.2025@gmail.com>
Date: Mon, 9 Feb 2026 00:47:37 +0530
Subject: [PATCH 2/2] :book: Clarify brute-force assumption in Secure Passwords
 cracking timeClarify secure password lesson (#2273)

* :book: Clarify brute-force assumption in Secure Passwords cracking time

Signed-off-by: shouryathakur-sorcerer <shourya.thakur2025@gmail.com>

* :book: Clarify brute-force assumption in Secure Passwords lesson

Signed-off-by: shouryathakur-sorcerer <shourya.thakur2025@gmail.com>

---------

Signed-off-by: shouryathakur-sorcerer <shourya.thakur2025@gmail.com>
Co-authored-by: shouryathakur-sorcerer <shourya.thakur2025@gmail.com>
---
 .../lessons/securepasswords/SecurePasswordsAssignment.java    | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java b/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
index c25f045c28..b402b6380d 100644
--- a/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
+++ b/src/main/java/org/owasp/webgoat/lessons/securepasswords/SecurePasswordsAssignment.java
@@ -59,6 +59,10 @@ public AttackResult completed(@RequestParam String password) {
             + calculateTime(
                 (long) strength.getCrackTimeSeconds().getOnlineNoThrottling10perSecond())
             + "</br>");
+      output.append(
+              "<i>Note:</i> This estimate assumes brute-force attack and does not account for "
+                      + "dictionary or rule-based attacks, which can significantly reduce real-world cracking time "
+                      + "for common phrases.</br>");
     if (strength.getFeedback().getWarning().length() != 0)
       output.append("<b>Warning: </b>" + strength.getFeedback().getWarning() + "</br>");
     // possible feedback: https://github.com/dropbox/zxcvbn/blob/master/src/feedback.coffee