Account lockout
You can use system settings to enforce lockout policies.
A lockout policy determines the conditions under which multiple failed login attempts will prevent a user from logging in. The condition is set as the maximum number of consecutive failed login attempts. A timer determines whether a set of logins are considered as consecutive attempts. They system can "forget" a failed login, based on the timer.
If there have been failed logins for a user account since the last successful login, a pop-up is displayed at the next successful login that shows the number of unsuccessful login attempts. The pop-up is shown only if the lockout condition has not been met.
When the lockout condition is met, a user enters a lockout state. The user may be required to do one of two things:
- Wait a predetermined amount of time before another login attempt is accepted.
- Contact a system administrator to unlock the account.
System settings determine the lockout policy:
- Account Lockout Max Attempts: if 0, then account lockout is disabled. It can be set to the number of consecutive failed attempts required to trigger a lockout. The default is 3.
- Account Lockout Reset Timer: if set to a negative value, users must get an administrator to unlock their account before they can log in again. It can be set to the number of minutes required before the user can log in again. Default: 120 minutes.
- Account Lockout Decay: If set to a negative value, failed attempts are never forgotten. It can be set to the number of minutes after which the last failed login attempt is forgotten and not counted against the maximum number of failed attempts. Default: 60 minutes.
See .