Identity providers often provide additional policy options to enhance the security of the Password Policy. These options help administrators guard against brute force attacks on identities by specifying limits to login attempts. In Windows operating systems, this is referred to as the Account Lockout Policy. However, other identity providers may refer to these policy options by another name.
Regardless, the same options are usually provided. These include:
- Account Lockout Threshold: This option allows you to specify how many failed login attempts can occur before a user account is locked. It is generally recommended to set this option between 3 and 5 failed login attempts. This is key to helping defend against brute force password attacks. Brute forcing relies on attackers trying endless password combos against a login form. By restricting the login attempts to only a few, the attack can be stopped before it even gets started.
- Account Lockout Duration: Once an account has been locked out, it needs to remain locked out for a set time period before the user can try to log in again. This way, the progression of a password attack can be further stalled. It is recommended to set the duration to 15 minutes, but you can allow longer if you wish.
- Reset Account Lockout Counter After: This value specifies how long after the first failed login before the counter is reset. A legitimate user may forget their password, and not wishing to be locked out, they stop and search for the correct password. With this value configured, the failed login counter will be set back to 0 after the specified time period to prevent the user from being locked out too easily. An acceptable default value for this setting would be 15 minutes or more.
Note: Remember that the Account Lockout Duration value must be greater than or equal to the value of Reset Account Lockout Counter After.