FAILEDLOGINCOUNTERWITHINMINUTES - Detailed description

Overview

Parameters:FAILEDLOGINCOUNTERWITHINMINUTES
Category: Login
Default value: 0
Product: eTASK.Login

What does this parameter do?

This parameter defines the time window in minutes during which consecutive failed login attempts are counted. It controls when the failed attempt counter is reset and works closely with the LOCKOUTTHRESHOLD parameter to enable automatic account lockouts.

What is this parameter used for?

• Defining the time window for counting failed login attempts

• Protection against brute-force attacks through time-based failed attempt counting

• Automatic account lockout if too many failed attempts occur within a short period of time

• Balancing strict security policies with user-friendliness

Technical Details (for Administrators)

Format: Integer - Time specified in minutes
Default value: 0

Valid values:

• 0 = All consecutive failed attempts are counted, regardless of the time interval

• 1 up to n = Only failed attempts within the specified minutes are counted

Important notes:

• If the value is 0 the counter is reset only after a successful login

• If the value is > 0, only failed attempts within the time window are added

• A successful login always resets the counter

• The parameter only works in combination with LOCKOUTTHRESHOLD > 0

Dependent parameters:

• LOCKOUTTHRESHOLD: Number of failed attempts before account lockout

• LOCKOUTDURATIONMINUTES: Duration of the automatic account lockout

When should you change this value?

Set the value to a number of minutes (e.g., 5 or 10) if:

• You want to implement brute-force protection with a time window

• Users are allowed to make occasional typos without being locked out

• You want to strike a balance between security and user-friendliness

• Failed attempts should not be accumulated over a longer period of time

Leave the value 0 (default) if:

• The strictest security policies apply

• Every failed attempt should be counted regardless of the time

• A simple failure count without a time window is sufficient

• LOCKOUTTHRESHOLD is also set to 0 (account lockout disabled)

Important notes

1. Interaction with LOCKOUTTHRESHOLD
   This parameter only works if LOCKOUTTHRESHOLD is set to a value > 0. Together, both parameters form the brute-force protection.

2. A value of 0 means unlimited accumulation.
   At the default value 0 , all failed attempts are counted, regardless of how long ago they occurred. The counter is only reset upon a successful login.

3. Time window example
   With a value of 5 , only failed attempts from the last 5 minutes are counted. A failed attempt from 6 minutes ago is no longer taken into account.

4. Resetting the counter
   The failed attempt counter is reset in two situations: upon successful login or if failed attempts fall outside the defined time window.

Security

Does changing this parameter affect security?

Yes, a change has a direct impact on security against brute-force attacks.

• With the value 0 (default), all failed attempts are accumulated—maximum security, but less user-friendly

• At higher values, a time window is introduced—a good balance between security and usability

• Values that are too high (e.g., 60 minutes) significantly weaken brute-force protection

• The parameter should be configured in combination with a reasonable LOCKOUTTHRESHOLD

Recommended security configuration:

• FAILEDLOGINCOUNTERWITHINMINUTES: 5–15 minutes

• LOCKOUTTHRESHOLD: 3–5 failed attempts

• LOCKOUTDURATIONMINUTES: 15–30 minutes

Conclusion: This parameter is security-relevant and should be configured in accordance with company policies. A value between 5 and 15 minutes offers a good balance between security and user-friendliness.

Practical example

Initial situation:
A company has set FAILEDLOGINCOUNTERWITHINMINUTES to 0 and LOCKOUTTHRESHOLD to 3 . A user makes a typo in their password, corrects it the next day, makes another mistake, and gets locked out after the third attempt—even though the attempts were spread out over several days.

Configuration:
The administrator changes FAILEDLOGINCOUNTERWITHINMINUTES to 10 (10 minutes).

After the change:

• A user enters the wrong password three times in a row

• After 11 minutes, they try again with incorrect credentials

• The previous failed attempt counter is reset because more than 10 minutes have passed

• The counter starts at 1, not 4—the user is not locked out

• If there were three failed attempts within 10 minutes, the lockout would take effect

Result:
Users are locked out only after repeated failed attempts within a short period of time, not due to occasional typos over longer periods. This improves the user experience without compromising brute-force protection.

Recommended setting

For standard installations:10(10 minutes)

Reason:

• Provides effective protection against automated brute-force attacks

• Prevents lockouts caused by occasional typos over an extended period

• Balances security and user-friendliness

• Complies with common IT security standards

Alternative configurations:

• High-security environments:5 Minutes - stricter protection

• User-friendly environments:15 Minutes - greater tolerance for errors

• Maximum security:0 - all failed attempts are counted

notebdf7657f-2ee5-46a7-97c9-66635384e052

Tip: Combine this parameter with LOCKOUTTHRESHOLD = 3-5 and LOCKOUTDURATIONMINUTES = 15-30 for a balanced security configuration. Test the settings in a test environment before deploying them to production.

Tip: Combine this parameter with LOCKOUTTHRESHOLD = 3-5 and LOCKOUTDURATIONMINUTES = 15-30 for a balanced security configuration. Test the settings in a test environment before deploying them to production.

Tip: Combine this parameter with LOCKOUTTHRESHOLD = 3-5 and LOCKOUTDURATIONMINUTES = 15-30 for a balanced security configuration. Test the settings in a test environment before deploying them to production.