Overview
Parameters:LOCKOUTDURATIONMINUTES
Category: Login
Default value: 30
Product: eTASK.Login
What does this parameter do?
Sets the duration of the lockout in minutes if multiple failed login attempts occur on the portal. The default value is 30 minutes. If set to 0, the account can only be unlocked by portal administrators. After the specified lockout period expires, the user account is automatically unlocked and the user can log in again.
What is this parameter used for?
Automatic account lockout after too many failed login attempts
Protection against brute-force attacks on user accounts
Time-limited lockout to balance security and user-friendliness
Automatic unlocking without administrator intervention
Reduction of administrative overhead in the event of accidental failed login attempts
Compliance with security policies and regulatory requirements
Deterrence against automated login attacks
Technical Details (for Administrators)
Format: Integer
Default value: 30
Valid values:
0= Permanent lock - Account can only be unlocked manually by portal administrators1to999999= Number of minutes until automatic unlocking
Important notes:
The lockout period begins at the time of the last failed login attempt
After the lockout period expires, the account is automatically unlocked
If the value is 0, manual unlocking by administrators is required
The failed attempt counter is reset after a successful login, not after unlocking
The lockout only takes effect if the number of failed attempts exceeds the threshold
Interaction with other parameters:
LOCKOUTTHRESHOLD: Defines the number of failed login attempts at which the account is locked
FAILEDLOGINCOUNTERWITHINMINUTES: Specifies the time window during which failed login attempts are counted
When should you change this value?
Leave the value at 30 (default) if:
Standard security is sufficient for typical enterprise environments
You want a balance between security and user-friendliness
Moderate security requirements exist
There are no specific compliance requirements
Administrators should not have to constantly perform unlocking
Reduce the value to 15–20 (shorter lockout period) if:
Greater user-friendliness is desired
Frequent accidental input errors occur
There is a low security risk
Quick access after a short lockout is important
Users should not have to wait long
Increase the value to 60–120 (longer lockout) if:
There are increased security requirements
Sensitive data needs to be protected
Compliance requirements mandate longer lockout periods
Frequent attacks on user accounts are observed
You want to increase the deterrent effect on attackers
Set value to 0 (permanent lockout) if:
Maximum security is required
Only administrators are allowed to unlock accounts
A very high security level is in place for critical systems
Every account lockout should be manually reviewed
Regulatory requirements mandate this
Suspicious activities must be investigated
Important Notes
Automatic Unlock vs. Manual Unlock
For values greater than 0, the account is automatically unlocked after the time period expires. For a value of 0, administrators must manually unlock each locked account, which leads to increased support effort.Calculation from the last failed attempt
The lockout period begins with the last failed login attempt. Additional failed attempts during the lockout period do not automatically extend the lockout.Coordination with LOCKOUTTHRESHOLD
LOCKOUTDURATIONMINUTES only takes effect if the number of failed attempts defined in LOCKOUTTHRESHOLD is exceeded. Both parameters must be coordinated.Impact on user experience Lockout periods
that are too short weaken security, while lockout periods that are too long frustrate legitimate users. Choose a value that balances both considerations.No retroactive effect
: Changing the parameter only affects new lockouts. Accounts that are already locked retain their original lockout duration.
Security
Does changing this parameter affect security?
Yes, changing this parameter has a significant impact on security.
Positive aspects:
Effective protection against brute-force attacks through time-based blocking
Automated attacks are significantly slowed down
Prevents rapid successive password attempts
Balance between security and availability with appropriate configuration
Deterrent effect on potential attackers
Note:
Lockout periods that are too short (less than 10 minutes) provide insufficient protection
Lockout periods that are too long can lead to denial-of-service if attackers intentionally lock out accounts whose usernames they know
A value of 0 requires administrative resources for manual unblocking
Very long lockout periods can lock out legitimate users
Attackers could deliberately lock out many accounts whose usernames they know to cause disruptions
Combined with a low LOCKOUTTHRESHOLD, accidental lockouts may increase
Data protection assessment:
Account lockout mechanism is a legitimate security interest
Locks should be logged for traceability
Users should be informed about the lockout mechanism
Automatic unlocking minimizes unnecessary interference with usage rights
Practical example
Initial situation: A company uses LOCKOUTDURATIONMINUTES=5 (5-minute lockout) and LOCKOUTTHRESHOLD=3 (3 failed attempts). The help desk reports that suspicious login attempts are being recorded on various accounts. The security analysis shows that attackers are systematically testing passwords.
Configuration: The administrator increases LOCKOUTDURATIONMINUTES to 60 minutes.
After the change:
After the first 3 failed attempts, the account is locked for 60 minutes (instead of 5 minutes)
After the lockout period expires, the attacker has one more attempt before the account is locked again for 60 minutes
Realistically, an attacker can only test about 25–30 passwords per day (one attempt every 60 minutes) instead of the previous 290
With complex passwords having millions of combinations, a successful attack is practically impossible
Legitimate users who have forgotten their password can make another attempt after a maximum of one hour or contact the help desk
The number of suspicious login attempts drops significantly
Result: Significantly improved protection against brute-force attacks. The combination of a threshold and a longer lockout period renders automated attacks practically ineffective, as the failed attempt counter is only reset after a successful login. With only one attempt per hour, brute-force attacks are no longer feasible.
Alternative scenarios:
Scenario A - High-security environment:
LOCKOUTDURATIONMINUTES=0 (permanent lockout)
LOCKOUTTHRESHOLD=3
Permanent lockout after 3 failed attempts
Every lockout must be investigated by the security team
Manual unlocking after identity verification and counter reset
Maximum protection for sensitive financial data
Increased administrative effort accepted
Scenario B - User-friendly environment:
LOCKOUTDURATIONMINUTES=15
LOCKOUTTHRESHOLD=5
Moderate security with greater user-friendliness
Users have 5 initial attempts, followed by one every 15 minutes
Suitable for internal systems with no external exposure
Note to users: If you fail multiple times, contact the help desk instead of waiting
Scenario C - Compliance Requirement:
LOCKOUTDURATIONMINUTES=120 (2 hours)
LOCKOUTTHRESHOLD=3
Meets strict financial industry security standards
After 3 failed attempts, only one attempt is allowed every 2 hours
Brute-force attacks are practically impossible (max. 12 attempts/day)
Documented security measure for audits
Users are informed of the policy in advance and instructed to contact the help desk directly if they encounter password issues
Recommended setting
For standard installations:30(30 minutes)
Rationale:
A good balance between security and user-friendliness
Effective protection against brute-force attacks
Automatic unlocking without administrator intervention
Moderate wait time for legitimate users
Complies with current security best practices
note8555d10f-dcb5-4540-949a-ff6ba9bb9414
Important: Coordinate LOCKOUTDURATIONMINUTES with LOCKOUTTHRESHOLD.
Important: Coordinate LOCKOUTDURATIONMINUTES with LOCKOUTTHRESHOLD.