Minimize reset password request max attempt allowance [Updated in Security Center 1.3]

The password_reset.request.max_attempt is used to control the maximum number of unsuccessful attempts that a user can reset or change their password before being locked out for a specified period of time.

More information

AttributeDescription
Property name password_reset.request.max_attempt
Configuration type System Properties (/sys_properties_list.do)
Category Authentication
Purpose Denotes the maximum number of unsuccessful password reset attempts that can be taken before the user is locked out of password reset process. The lockout period is determined by the value in password_reset.request.max_attempt_window.
Recommended value Set to a positive integer value less than three. The default value is 3. When you determine the limit for the upper range of the property, consider the task that the user is performing.
Configuration type Positive integer values
Security risk (High) If the property is not set to the recommended value of "3" or other reasonable small value, then it could be possible to perform a brute force attack against the password reset process.
Security risk rating 7.5
References Configure Password Reset properties

To learn more about adding or creating a system property, see Add a system property.