OWASP recommendations are apparently cribbed from Steve Thomas, who explains the rationale for his recommendations in the Info section at the bottom of his Minimum Password Settings page. The settings are designed to throttle an attacker’s hash speeds to 10kH/s/GPU. Of note is that this is the recommendation when using passwords for authentication purposes only. As I’ve noted in another post, when the password is used for encryption, hash rates should ideally be much slower (<1kH/s/GPU).
4 Likes