Document exchange password for short term credential

Fixes gh-4959

docs/manual/src/docs/asciidoc/_includes/password-encoder.adoc

@@ -34,15 +34,23 @@ The reason is that with modern hardware we can perform billions of hash calculat
 This means that we can crack each password individually with ease.
 
 Developers are now encouraged to leverage adaptive one-way functions to store a password.
+Validation of passwords with adaptive one-way functions are intentionally resource (i.e. CPU, memory, etc) intensive.
 An adaptive one-way function allows configuring a "work factor" which can grow as hardware gets better.
 It is recommended that the "work factor" be tuned to take about 1 second to verify a password on your system.
 This trade off is to make it difficult for attackers to crack the password, but not so costly it puts excessive burden on your own system.
+Spring Security has attempted to provide a good starting point for the "work factor", but users are encouraged to customize the "work factor" for their own system since the performance will vary drastically from system to system.
 Examples of adaptive one-way functions that should be used include
 https://en.wikipedia.org/wiki/Bcrypt[bcrypt],
 https://en.wikipedia.org/wiki/PBKDF2[PBKDF2],
 https://en.wikipedia.org/wiki/Scrypt[scrypt],
 and https://en.wikipedia.org/wiki/Argon2[Argon2].
 
+Because adaptive one-way functions are intentionally resource intensive, validating a username and password for every request will degrade performance of an application significantly
+There is nothing Spring Security (or any other library) can do to speed up the validation of the password since security is gained by making the validation resource intensive.
+Users are encouraged to exchange the long term credentials (i.e. username and password) for a short term credential (i.e. session, OAuth Token, etc).
+The short term credential can be validated quickly without any loss in security.
+
+
 [[pe-dpe]]
 == DelegatingPasswordEncoder