Lock accounts after no more than 10 unsuccessful attempts

Locking accounts after a certain number of unsuccessful attempts to login will protect your system against a brute-force attack, whereby an attacker tries all possible combinations of a password. Stopping a user after 10 attempts will completely halt an attacker. If an authentic user is trying to access the system but has geniunely forgot their password, you can easily unlock their account or ask them to change their password.

Last changed: 13 August 2022