ARMENTA, GEROLAO, Home About Contact

MALAPOTE

T H E R O L E I N S E C U R I T Y
O F
ACCOUNT LOCK OUT
POLICY
Get Started Play Video

Slide 1
 ARMENTA, GEROLAO, Home About Contact
MALAPOTE

Account Lockout Policy

An account lockout policy is a security rule that protects

your account from being hacked/brute force attack (trying
every possible combination of password to break into an
account, system or encrypted data until they find the right
one).

It works like this: If someone tries to guess your password

and enters the wrong one too many times in a row, the
system will temporarily "lock" the account. This means no
one can log in until the lock is lifted, either automatically
after some time or manually by an admin.

Learn More
Slide 2
ARMENTA, GEROLAO, Home About Contact
MALAPOTE

Three Options
1. Account Lockout Duration
This is the amount of time an account stays locked after
someone tries to log in with the wrong password too many
times.

For example, if the lockout duration is set to two hours, the

person will be able to try logging in again after two hours. The
default setting has no lockout, but it can be set to anywhere
between 0 minutes (no time limit) and 99,999 minutes (a very
Learn More long time).

If it's set to 0, the account stays locked until an admin manually

unlocks it.
Slide 3
ARMENTA, GEROLAO, Home About Contact
MALAPOTE

Three Options
2. Account Lockout Threshold
This is the number of incorrect login attempts allowed
before the account is locked.

For example, if you set this to 3, the account will lock after
three failed login attempts. If you set this to 0, the account
won't lock at all, even if someone enters the wrong
password repeatedly. This can be set anywhere from 0 (no
lockout) to 999 attempts.
Learn More

Slide 4
ARMENTA, GEROLAO, Home About Contact
MALAPOTE

Three Options
3. Reset Account Lockout Counter After
This option lets you decide how long the system waits
before it "forgets" the failed login attempts.

For example, if it's set to 15 minutes, the failed attempts

counter will reset after 15 minutes, and the person can try
again as if it's the first attempt. If this is set to 0, the
counter never resets, and the failed attempts just keep
adding up until the lockout threshold is reached.
Learn More

Slide 5
ARMENTA, GEROLAO, Home About Contact
MALAPOTE

Advantages

Better Security
Stops Hackers: If someone is trying to guess your
password by repeatedly entering wrong ones, the account
will get locked after a few attempts. This makes it harder
for hackers to break in.

Warns a User: If someone is trying to access your

account without your permission, the lockout will let you
know something suspicious is going on.

Slide 6
ARMENTA, GEROLAO, Home About Contact
MALAPOTE

Advantages

Legal Protection (Required by Law)

In some cases, businesses must have this policy to
keep customer data safe (industries like healthcare or
finance).

Better
Awareness
If your account getslocked, you know that something
is wrong, & it can encourage you to change your
password and protect your account.

Slide 7
ARMENTA, GEROLAO, Home About Contact
MALAPOTE

Disadvantages

Impact on Users
Inconvenience for Users: A lockout can frustrate users
who forget their passwords or mistype their credentials
multiple times. This can lead to delays in accessing
accounts and increased frustration, particularly if the user
is locked out for an extended period.
Difficulty for Non-Technical Users: Non-technical users
may struggle to understand the reason behind a lockout
or how to resolve the issue, leading to confusion or
helplessness.

Slide 8
ARMENTA, GEROLAO, Home About Contact
MALAPOTE

Disadvantages

Potential for Lockout Abuse

Denial of Service (DoS): Attackers could intentionally
trigger a lockout to prevent legitimate users from
accessing their accounts, causing inconvenience and
disruption to services. This is especially problematic for
sensitive or time-critical accounts.

Slide 9
ARMENTA, GEROLAO, Home About Contact
MALAPOTE

Disadvantages

Complexity in Configuration
Balancing Security with Usability: Setting the right
number of failed attempts and lockout duration is
difficult. Too many failed attempts might lock out
legitimate users, while too few could allow attackers to
bypass security measures.
False Positives: Some systems may lock out accounts
even when there are no malicious attempts, such as
when users enter incorrect passwords accidentally or
use password managers with misconfigured entries.

Slide 10
ARMENTA, GEROLAO, Home About Contact
MALAPOTE

REFERENCES

Grasdal, M., Hunter, L. E., Cross, M., Hunter, L., Shinder, D. L., &
Shinder, T. W. (2003). MCSE 70-293: Planning, implementing, and
maintaining a security framework. In Elsevier eBooks (pp. 781–
859). https://doi.org/10.1016/b978-193183693-7/50015-4

Allen, R., & Allen, R. (2023, September 10). Account Lockout

Policy: Configuration guide. Active Directory Pro.
https://activedirectorypro.com/account-lockout-policy/

Narayanan, B. (2021, September 2). Active Directory Account

Lockout Policy - An overview. Windows Active Directory.
https://www.windows-active-directory.com/account-lockout-
policy-active-directory.html

Slide 11
ARMENTA, GEROLAO, Home About Contact
MALAPOTE

THANK YOU
F O R Y O U R A T T E N T I O N

Slide 12