Article Change system defaults for locking out users

By default, users are out of the site after five incorrect attempts or failed attempts to login within a specific time interval. However, there are three values you can change in the web.config or communityserver.config file to affect these defaults:

  • Number of bad attempts (for example, default five failed attempts)
  • Period during which bad attempts are counted (for example, default failed attempt period of five minutes)
  • Amount of time the account is locked out (for example, default lockout of five minutes)

Change number of attempts that triggers lockout

To change the number of login attempts that will trigger an account lockout:

Search for the following entry in the web.config file:

maxInvalidPasswordAttempts="5"

and replace "5" with the desired number of failed attempts you want to allow, for example 3 attempts:

maxInvalidPasswordAttempts="3"

Save the file.

Change failed attempt period that triggers the lockout

The default period for counting failed attempts is five minutes. To change the attempt count period:

Search for the following entry in the web.config file:

passwordAttemptWindow="5"

and replace "5" with the desired number of minutes you want the failure cycle to contain. For example, shortening the period will allow the incorrect attempts to reset more quickly, for example 3 minutes:

passwordAttemptWindow="3"

Save the file.

Change how long the lockout lasts

Once the maximum number of attempts has occurred or the attempt counting period is used up, the system will lock out the user account. To change this lock period:

Search for the following entry in the communityserver.config file:

unlockUserAfterMinutes="5"

and replace "5" with the desired number of minutes you want the user to wait before his/her password will be reset, for example 3 minutes after the lockout is initiated:

unlockUserAfterMinutes="3"

 Use -1 to never automatically unlock an account.

Save the file.