Set Maximum Number of Invalid Password Attempts

This setting applies to both sign in and change password attempts.

1. Locate the setting in the Web server’s web.config file for two-tier configuration or the Application server’s web.config file for three-tier configuration. These settings are in the <membership> section.

maxInvalidPasswordAttempts=“9999” passwordAttemptWindow=“1”

2. Set the number of allowed attempts, the amount of times the user can enter their password incorrectly in a certain amount of time before the account becomes locked.
3. Set the number of minutes, for the number of attempts to happen. For example, if you enter the wrong password within a 10 minutes window, you are locked out.

Based on the default settings, a user has to enter their password 9999 times in one minute before being locked out.

4. Save and close the web.config file.
5. Restart IIS.