Re: YESCRYPT_COST_FACTOR=11 not working

16 Jan 2026

      Hi John,
this is not a pam timeout issue. I have the passwords of my user and the root user created
with YESCRYPT_COST_FACTOR=11 and it works fine. ssh, postfix, nfs, gdm, etc. Everything
works except dovecot.
With this command you can check which YESCRYPT_COST_FACTOR has been used:

getent shadow | awk -F: '$2 ~ /^\$/' | column --table --separator :$
root        y  jFT  ...
matthias    y  jFT  ...
guest       y  j9T  ...

jFT stands for YESCRYPT_COST_FACTOR=11
j9T stands for YESCRYPT_COST_FACTOR=5
(see also here:
https://linux-audit.com/authentication/linux-password-security-hashing-round...)
When I test for user guest (with j9T) I get:

time doveadm auth test guest
Password:
passdb: guest auth succeeded
extra fields:
user=guest
doveadm auth test guest  0,00s user 0,00s system 0% cpu 2,195 total

When I test for user matthias (with jFT) I get:

time doveadm auth test matthias
Password:
passdb: matthias auth failed
extra fields:
user=matthias
doveadm auth test matthias  0,00s user 0,00s system 0% cpu 8,996 total

When I recreate the password for user matthias with YESCRYPT_COST_FACTOR=5 the issue is
gone.
pamtester is also successful with YESCRYPT_COST_FACTOR=11

pamtester --verbose system-auth matthias authenticate
pamtester: invoking pam_start(system-auth, matthias, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated

ssh login works fine too:

Jan 16 15:53:08 rakete sshd-session[49576]: Accepted password for matthias from
192.168.132.182 port 50692 ssh2
Jan 16 15:53:08 rakete sshd-session[49576]: pam_unix(sshd:session): session opened for
user matthias(uid=1000) by matthias(uid=0)

I also tested dovecot with YESCRYPT_COST_FACTOR=7 and that worked. YESCRYPT_COST_FACTOR=9
didnt work.
Kind Regards
Matthias
Am Freitag, dem 16.01.2026 um 14:16 +0100 schrieb John Fawcett via dovecot:
...
Hi Matthias
I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the
delay that Dovecot waits after the failure before reporting it, so not
really relevant since the failure has already happened when that comes
into play.
Out of curiosity, when you do the test that fails, how long did it take
before it failed?
Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in
login.defs) or elsewhere.
John
On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
...
Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
...
Hi,
dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11.
I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user
password for my user and restarting the dovecot service I get:
doveadm auth test matthias
Password:
passdb: matthias auth failed
extra fields:
user=matthias
When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
doveadm auth test matthias
Password:
passdb: matthias auth succeeded
extra fields:
user=matthias

I have tested this back and forth. The culprit is definitely a high value for
YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
Can it be that this problem has to do with
#define AUTH_FAILURE_DELAY_CHECK_MSECS 500
in auth-request-handler.c ?
Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the
time of the pam auth process.
Matthias

dovecot mailing list --dovecot@dovecot.org
To unsubscribe send an email todovecot-leave@dovecot.org
Hi Matthias
   I'm pretty sure that this value (AUTH_FAILURE_DELAY_CHECK_MSECS) is the
delay that Dovecot waits after the failure before reporting it, so not
really relevant since the failure has already happened when that comes
into play.
   Out of curiosity, when you do the test that fails, how long did it take
before it failed?
   Maybe there is a timeout configured in pam (e.g. LOGIN_TIMEOUT in
login.defs) or elsewhere.
   John
   On 11/01/2026 10:11, Matthias Bodenbinder via dovecot wrote:
 Am Freitag, dem 09.01.2026 um 10:30 +0100 schrieb Matthias Bodenbinder via dovecot:
 Hi,
 dovecot does not work with ENCRYPT_METHOD YESCRYPT and YESCRYPT_COST_FACTOR=11.
I have tested with 2.4.2-4 and 2.3.21.1-4 on endeavouros.
 When changing YESCRYPT_COST_FACTOR to 11 in /etc/login.defs and recreacting the user
password for my user and restarting the dovecot service I get:
 # doveadm auth test matthias
Password:
passdb: matthias auth failed
extra fields:
user=matthias
 When reverting the change to YESCRYPT_COST_FACTOR=5 it works again:
 # doveadm auth test matthias
Password:
passdb: matthias auth succeeded
extra fields:
user=matthias
 I have tested this back and forth. The culprit is definitely a high value for
YESCRYPT_COST_FACTOR. A value of 7 is still good but a value of 9 or 11 fails.
 Can it be that this problem has to do with
 #define AUTH_FAILURE_DELAY_CHECK_MSECS 500
 in auth-request-handler.c ?
 Increasing the YESCRYPT_COST_FACTOR for the password hashing will certainly extend the
time of the pam auth process.
 Matthias
 _______________________________________________
dovecot mailing list -- [1]dovecot@dovecot.org
To unsubscribe send an email to [2]dovecot-leave@dovecot.org
References
   Visible links
1. mailto:dovecot@dovecot.org
2. mailto:dovecot-leave@dovecot.org

dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-leave@dovecot.org