Set Maximum Number of Invalid Password Attempts
This setting applies to both sign in and change password attempts.
- Locate the setting in the Web server’s web.config file for two-tier configuration or the Application server’s web.config file for three-tier configuration. These settings are in the <membership> section.
maxInvalidPasswordAttempts=“9999” passwordAttemptWindow=“1”
- Set the number of allowed attempts, the amount of times the user can enter their password incorrectly in a certain amount of time before the account becomes locked.
- Set the number of minutes, for the number of attempts to happen. For example, if you enter the wrong password within a 10 minutes window, you are locked out.
Based on the default settings, a user has to enter their password 9999 times in one minute before being locked out.
- Save and close the web.config file.
- Restart IIS.