Control Lockout Time for Invalid Password Reset Attempts [Updated in Security Center 1.3 and 2.0]

The password_reset.request.max_attempt_window property controls the number of minutes a user must wait to reset or change their password after exceeding the maximum number of unsuccessful attempts that is set with the password_reset.request.max_attempt property.

The password_reset.request.max_attempt_window property defines the number of minutes a user must wait to reset or change their password after exceeding the maximum number of unsuccessful attempts that is set with the password_reset.request.max_attempt property. A small number of minutes for the password_reset.request.max_attempt_window property increases the risk of successfully brute forcing a password as a greater number of password reset attempts can be made. The default of 1440 minutes is recommended.

Ensure the property password_reset.request.max_attempt_window is set to 1440 or greater.

More information

AttributeDescription
Property name password_reset.request.max_attempt_window
Configuration type System Properties (/sys_properties_list.do)
Category Authentication
Purpose Denotes the lockout period in minutes after the maximum number of unsuccessful password reset attempts has been met.
Recommended value 1440
Default value 1440
Configuration type Positive integer values
Security risk (High) If the property is not set to the recommended value of 1440 or less, then it could be possible to perform account brute force as the account will not be locked after a maximum number of wrong authentication attempts.
Security risk rating 7.5
References Configure Password Reset properties

To learn more about adding or creating a system property, see Add a system property.