Update PasswordEncoder Minimums

[jzheaux]

Based on #10447 (comment), Argon2PasswordEncoder, ScryptPasswordEncoder, and Pbkdf2PasswordEncoder should have their minimums updated.

Please also see gh-7411 gh-4788

[larsgrefer]

see also #7411 (comment)

[ioanadinuit]

Hi, did someone take this issue? I would like to contribuite.

[jzheaux]

@ioanadinuit, thanks for volunteering! The ticket is yours.

One thing we need to keep in mind is what will happen to folks when they upgrade to Spring Security 6.

Ideally, existing hashes will still work which is not as simple with Pbkdf2PasswordEncoder, which does not support upgrading. It may be necessary to implement #9833 before changing PBKDF2 default settings.

[jzheaux]

@Sc00bz, I'd prefer to go off of the recommendations on the OWASP cheat sheet. They vary just slightly from your recommendations in your comment. Do you have any concerns with going with the recommendations from the cheat sheet?