After how many invalid logon attempts should user accounts be locked out?

While the selected answer indicates that a user account should be locked out after 6 invalid login attempts, the PCI DSS standard specifies that accounts should typically be locked out after no more than 6 attempts. However, many organizations adopt a more conservative number, often setting the threshold at 5 attempts to balance security with user access needs.

Locking accounts after a set number of invalid attempts is a security measure designed to prevent unauthorized access and brute force attacks. Automating this process helps in reducing the vulnerability windows and managing the risk of password guessing attempts. The standard does not specify an exact number but encourages organizations to implement a policy that is effective in safeguarding their systems while minimizing disruptions for legitimate users.

The option of 4 attempts might seem reasonable but could allow an overly permissive access control policy, making systems potentially vulnerable. Numbers higher than 6 can lead to unnecessary frustration for users, as valid attempts might accidentally trigger an account lockout. Therefore, the choice of 6 invalid attempts aligns with a sensible compromise between user accessibility and security best practices.