Limit Invalid Password Reset Attempts

Release version: Australia

Updated March 12, 2026

1 minute to read

The password_reset.request.max_attempt is used to control the maximum number of unsuccessful attempts that a user can reset or change their password before being locked out for a specified period of time.

The password_reset.request.max_attempt system property dictates the maximum number of unsuccessful password reset attempts that can be taken before the user is locked out of password reset process. The lockout period is determined by the value in password_reset.request.max_attempt_window.

Ensure that the property password_reset.request.max_attempt is set to 3 or less.

More information


Attribute	Description
Configuration name	password_reset.request.max_attempt
Configuration type	System Properties (/sys_properties_list.do)
Data type	Integer
Recommended value	An integer less than or equal to 3
Default value	<none>
Fallback value	3
Category	Configure Password Reset properties
Security risk	Severity score: 7.5 CVSS rating: High Security risk details: If the value is too high, then it could be possible to perform brute force attack against password reset process.
Functional impact	None
Dependencies and prerequisites	None