Control Lockout Time for Invalid Password Reset Attempts [Updated in Security Center 1.3 and 2.0]
The password_reset.request.max_attempt_window property controls the number of minutes a user must wait to reset or change their password after exceeding the maximum number of unsuccessful attempts that is set with the password_reset.request.max_attempt property.
The password_reset.request.max_attempt_window property defines the number of minutes a user must wait to reset or change their password after exceeding the maximum number of unsuccessful attempts that is set with the password_reset.request.max_attempt property. A small number of minutes for the password_reset.request.max_attempt_window property increases the risk of successfully brute forcing a password as a greater number of password reset attempts can be made. The default of 1440 minutes is recommended.
Ensure the property password_reset.request.max_attempt_window is set to 1440 or greater.
More information
| Attribute | Description |
|---|---|
| Property name | password_reset.request.max_attempt_window |
| Configuration type | System Properties (/sys_properties_list.do) |
| Category | Authentication |
| Purpose | Denotes the lockout period in minutes after the maximum number of unsuccessful password reset attempts has been met. |
| Recommended value | 1440 |
| Default value | 1440 |
| Configuration type | Positive integer values |
| Security risk | (High) If the property is not set to the recommended value of 1440 or less, then it could be possible to perform account brute force as the account will not be locked after a maximum number of wrong authentication attempts. |
| Security risk rating | 7.5 |
| References | Configure Password Reset properties |
To learn more about adding or creating a system property, see Add a system property.