The application may return a different HTTP Error code depending on the authentication attempt response. It may respond with a 200 for a positive result and a *403* for a negative result.
403 means forbidden, which apply to when you try to access a resource without permission / authorization
Also, in their Password Storage Cheat Sheet [https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet], they seems to recommend :
PBKDF2 [*4] when FIPS certification or enterprise support on many platforms is required;
scrypt [*5] where resisting any/all hardware accelerated attacks is necessary but support isn’t.
bcrypt where PBKDF2 or scrypt support is not available.
I agree that it is more useful to use 401 to indicate that some form of authentication is required or has failed, and 403 to indicate that you are authenticated but not allowed to access something (which is what the spec emphasizes).
IOW, 403 should be "Unauthorized", 401 should be "Unauthenticated". Sadly the spec mixes those two meanings in various places.
And I agree with ambiguous spec on those concerns.