Re: YESCRYPT_COST_FACTOR=11 not working

[Aki Tuomi via dovecot]

   Dovecot is not an UI software so setting too high or heavy computational
   cost will not work. I would recommend you use application password for
   imap access instead or use webmail with oauth2.

   Its not really a dovecot problem if you use pam settings that run too
   long.

   Aku

     On 15/01/2026 11:24 EET Matthias Bodenbinder via dovecot
     <[1]dovecot@dovecot.org> wrote:


     Hello,

     with no reply yet on this topic I am wondering if this is the right
     place to address the
     topic.

     With its behaviour dovecot prevents the hardening of password
     hashes. For security reasons
     it is recommended to increase YESCRYPT_COST_FACTOR above the default
     value of 5.

     e.g.
     
[2]https://linux-audit.com/authentication/linux-password-security-hashing-rounds/#yescrypt

     This is not possible when dovecot is running because dovecot can not
     authenticate users
     where the password was created with a high YESCRYPT_COST_FACTOR.

     And this affects all major linux distros because they all
     use ENCRYPT_METHOD YESCRYPT
     these days. (e.g. debian, ubuntu, fedora, arch, kali linux)

     Can someone please let me know if this mailing list is the right place
     to address this
     and/or recommend a better place to me?

     Thank you,
     Matthias



     Am Sonntag, dem 11.01.2026 um 10:11 +0100 schrieb Matthias Bodenbinder
     via dovecot:

       Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder
       via dovecot:

         Hi,

         dovecot does not work with ENCRYPT_METHOD YESCRYPT and
         YESCRYPT_COST_FACTOR=11.
         I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.

         When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and
         recreacting the user
         password for my user and restarting the dovecot service I get:

         # doveadm auth test matthias
         Password:
         passdb: matthias auth failed
         extra fields:
           user=matthias

         When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:

         # doveadm auth test matthias
         Password:
         passdb: matthias auth succeeded
         extra fields:
           user=matthias


         I have tested this back and forth. The culprit is definitely a high
         value for
         YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or
         11 fails.


       Can it be that this problem has to do with

       #define AUTH_FAILURE_DELAY_CHECK_MSECS 500

       in auth-request-handler.c ?

       Increasing the YESCRYPT_COST_FACTOR for the password hashing will
       certainly extend the
       time of the pam auth process.

       Matthias

       _______________________________________________
       dovecot mailing list -- [3]dovecot@dovecot.org
       To unsubscribe send an email to [4]dovecot-le...@dovecot.org

     _______________________________________________
     dovecot mailing list -- [5]dovecot@dovecot.org
     To unsubscribe send an email to [6]dovecot-le...@dovecot.org

References

   Visible links
   1. mailto:dovecot@dovecot.org
   2. 
https://linux-audit.com/authentication/linux-password-security-hashing-rounds/#yescrypt
   3. mailto:dovecot@dovecot.org
   4. mailto:dovecot-le...@dovecot.org
   5. mailto:dovecot@dovecot.org
   6. mailto:dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org