diff --git a/src/Wt/Auth/HashFunction.C b/src/Wt/Auth/HashFunction.C
index 9be0cf83e..fb9d69237 100644
--- a/src/Wt/Auth/HashFunction.C
+++ b/src/Wt/Auth/HashFunction.C
@@ -9,6 +9,7 @@
 
 #include "Wt/Utils.h"
 #include "Wt/WException.h"
+#include "Wt/WLogger.h"
 
 #ifndef WT_TARGET_JAVA
 // for htonl():
@@ -31,6 +32,7 @@ extern "C" {
 #endif
 
 namespace Wt {
+  LOGGER("Auth.HashFunction");
   namespace Auth {
 
 HashFunction::~HashFunction()
@@ -86,7 +88,11 @@ std::string SHA1HashFunction::name() const
 
 BCryptHashFunction::BCryptHashFunction(int count)
   : count_(count)
-{ }
+{
+  if (count_ < 10) {
+    LOG_WARN("ASVS recommends using BCrypt with at least 10 iterations.");
+  }
+}
 
 std::string BCryptHashFunction::compute(const std::string& msg,
                                         const std::string& salt) const
diff --git a/src/Wt/Auth/HashFunction.h b/src/Wt/Auth/HashFunction.h
index 286f7ea49..89a562863 100644
--- a/src/Wt/Auth/HashFunction.h
+++ b/src/Wt/Auth/HashFunction.h
@@ -141,8 +141,13 @@ class WT_API BCryptHashFunction final : public HashFunction
    * stored in the computed hash.
    *
    * The value of \p count needs to be 0, or in the range 4-31.
+   * 
+   * By default \p count has a value of 12.
+   * 
+   * \note <a href="https://owasp.org/www-project-application-security-verification-standard/" target="_blank">
+   *       ASVS</a> recommends using BCrypt with at least 10 iterations.
    */
-  BCryptHashFunction(int count = 0);
+  BCryptHashFunction(int count = 12);
 
   /*! \brief Returns the name for this hash function.
    *