Skip to content
Home » IT Policies » Account Lockout Policy

Account Lockout Policy

Document ID: ALP-001
Version: 1.0
Effective Date: ____________________
Approved By: ____________________
Last Review Date: ____________________
Next Review Date: ____________________

1. Purpose

The purpose of this Account Lockout Policy is to protect organizational systems and accounts from unauthorized access by limiting repeated failed authentication attempts. This policy establishes requirements for detecting and responding to potential password guessing, brute-force, credential stuffing, and other authentication-based attacks while minimizing disruption to legitimate users.

2. Scope

This policy applies to:

  • Employees
  • Contractors
  • Consultants
  • Temporary workers
  • Interns
  • Vendors
  • Third-party service providers
  • Managed Service Providers (MSPs)
  • Customers, where applicable
  • Service accounts (where supported)
  • Privileged accounts
  • Standard user accounts

This policy applies to authentication for:

  • Active Directory and directory services
  • Cloud identity providers
  • SaaS applications
  • Business applications
  • Web portals
  • VPNs
  • Email systems
  • Remote access solutions
  • Administrative consoles
  • End-user devices

3. Policy Statement

The organization shall implement account lockout controls or equivalent protective mechanisms to reduce the risk of unauthorized access resulting from repeated failed authentication attempts.

Authentication systems shall automatically respond to excessive failed login attempts through account lockout, authentication throttling, progressive delays, CAPTCHA, risk-based authentication, or other approved security controls appropriate to the system.

4. Guiding Principles

The organization follows these principles:

  • Protect against brute-force attacks
  • Minimize denial-of-service risks
  • Balance security with business continuity
  • Apply consistent authentication controls
  • Monitor suspicious authentication activity
  • Support Zero Trust security principles

5. Failed Authentication Attempts

Authentication systems shall monitor failed login attempts.

Where account lockout is implemented, the organization shall define:

  • Maximum permitted failed attempts
  • Lockout duration
  • Reset period for failed attempt counters
  • Administrative unlock procedures
  • Exception processes

Specific threshold values shall be established in supporting technical standards based on organizational risk.

6. Account Lockout Controls

Where technically supported, authentication systems should automatically:

  • Lock accounts after excessive failed attempts
  • Notify users of lockout events where appropriate
  • Log lockout events
  • Alert administrators of suspicious activity
  • Prevent automated password guessing attacks

Alternative protections may be used when account lockout is not appropriate or technically feasible.

7. Risk-Based Authentication

Where supported, authentication systems may use additional factors before locking accounts, including:

  • Geographic location
  • Device reputation
  • IP address reputation
  • User behavior analytics
  • Time of access
  • Device health
  • Network trust
  • Multi-Factor Authentication (MFA) status

Risk-based authentication may reduce unnecessary account lockouts while maintaining security.

8. Administrative Accounts

Administrative and privileged accounts shall receive enhanced protection.

Additional safeguards may include:

  • Multi-Factor Authentication (MFA)
  • Conditional access policies
  • Dedicated administrative workstations
  • Just-in-Time (JIT) access
  • Enhanced monitoring
  • Immediate alerting for repeated failed authentication attempts

9. Service Accounts

Service accounts should not rely on interactive authentication where possible.

Where authentication failures occur for service accounts:

  • Events shall be logged
  • Failures shall be investigated
  • Lockout settings shall be carefully configured to avoid disrupting critical business services
  • Compensating controls shall be implemented when traditional lockout mechanisms are not appropriate

10. Account Unlock Procedures

Locked accounts may be restored through:

  • Automatic expiration of the lockout period
  • Verified self-service account recovery
  • Help desk verification procedures
  • Identity verification by authorized personnel
  • Administrative account unlock procedures

Identity verification shall occur before manually unlocking accounts.

11. Monitoring and Logging

Authentication systems shall log, where technically feasible:

  • Failed login attempts
  • Successful logins following failed attempts
  • Account lockout events
  • Administrative unlock actions
  • Password guessing attempts
  • Credential stuffing indicators
  • Suspicious authentication patterns

Logs shall be protected from unauthorized modification.

12. Security Monitoring

Security personnel shall review authentication events to identify:

  • Brute-force attacks
  • Password spraying
  • Credential stuffing
  • Repeated authentication failures
  • Privileged account attacks
  • Insider threats
  • Indicators of compromise

Suspicious activity shall be investigated according to the Incident Response Policy.

13. User Responsibilities

Users shall:

  • Enter credentials carefully
  • Report unexpected account lockouts
  • Notify IT of suspected unauthorized login attempts
  • Protect authentication credentials
  • Use approved password management practices

Users shall not intentionally trigger repeated authentication failures.

14. Administrative Responsibilities

IT administrators shall:

  • Configure authentication protections
  • Monitor lockout events
  • Investigate unusual authentication activity
  • Unlock accounts after appropriate identity verification
  • Maintain authentication logs
  • Periodically review authentication settings

15. Exceptions

Exceptions to this policy require:

  • Documented business justification
  • Risk assessment
  • Management approval
  • Information Security approval where applicable
  • Compensating security controls
  • Periodic review

Exceptions shall be documented and retained.

16. Compliance

Compliance with this policy is mandatory.

Violations may result in:

  • Suspension of access
  • Removal of administrative privileges
  • Disciplinary action
  • Contract termination
  • Legal action where applicable

17. Policy Review

This policy shall be reviewed at least annually or following:

  • Significant authentication system changes
  • Security incidents
  • Regulatory updates
  • Audit findings
  • Organizational changes

18. Related Policies

  • Information Security Policy
  • Access Control Policy
  • Identity and Authentication Policy
  • Password Policy
  • Multi-Factor Authentication (MFA) Policy
  • Privileged Access Management (PAM) Policy
  • Least Privilege Policy
  • Remote Access Policy
  • Logging and Monitoring Policy
  • Incident Response Policy
  • Acceptable Use Policy

Document Objective

This policy establishes the organization’s requirements for protecting user accounts against unauthorized access through the implementation of account lockout and equivalent authentication protection mechanisms. It is designed to reduce the risk of brute-force attacks, password spraying, and credential stuffing while supporting business continuity through balanced authentication controls. This vendor-neutral policy aligns with widely recognized security frameworks, including NIST CSF, ISO/IEC 27001, CIS Controls, SOC 2, HIPAA, PCI DSS, CMMC, and the FTC Safeguards Rule.