Before implementing or modifying account lockout policies, conduct a thorough assessment of your organization's security requirements, user behavior patterns, and regulatory obligations.

• Identify account types and sensitivity levels: Catalog all user accounts and categorize them by access level, standard users, privileged users, service accounts, and external users. Different categories require different lockout thresholds to balance security with operational needs.
• Review regulatory requirements: Determine which compliance frameworks apply to your organization (PCI DSS, HIPAA, SOX, GDPR) and document specific requirements for access control and failed login handling to ensure your policy meets all obligations.
• Analyze historical lockout data: Review help desk tickets and security logs to understand current lockout patterns, how often do legitimate users get locked out? What are the peak times? This data informs appropriate threshold and duration settings.

Set failed attempt limits that provide strong protection against brute force attacks while minimizing disruption to legitimate users who occasionally mistype passwords.

• Set standard user threshold: Configure 5-10 failed attempts for regular user accounts, as recommended by NCSC. This range allows for legitimate mistakes (typo corrections, caps lock issues) while still blocking systematic attacks.
• Implement stricter controls for privileged accounts: Reduce the threshold to 3-5 attempts for administrators, executives, and service accounts with elevated permissions. Their greater access justifies stricter security controls.
• Configure observation windows: Set a 15-30 minute observation period so only attempts within this timeframe count toward lockout. This prevents attackers from "low and slow" attacks while avoiding lockouts from occasional mistakes over days or weeks.

Determine how long accounts remain locked and establish recovery procedures that balance security requirements with business continuity needs.

• Set automatic unlock timers: Configure 15-30 minute automatic unlock durations for standard accounts. This provides adequate security delay while reducing help desk burden from users who simply made multiple typos.
• Require manual unlock for privileged accounts: Disable automatic unlock for administrator and executive accounts, requiring IT verification before restoration. This ensures proper incident review and prevents attackers from simply waiting out the lockout period.
• Implement self-service unlock options: Deploy secure self-service password reset with multi-factor verification, allowing users to unlock their own accounts after proving identity, reducing help desk costs while maintaining security.

Establish visibility into lockout events and patterns to detect attacks early and support incident response activities.

• Configure detailed logging: Ensure all authentication events, successful and failed, are logged with timestamps, source IP addresses, user agents, and target accounts. These logs are essential for forensic analysis and compliance.
• Set up real-time alerting: Create alerts for lockout events, especially for privileged accounts. Implement threshold-based alerts that trigger when multiple accounts are locked within a short period, indicating a coordinated attack.
• Integrate with SIEM systems: Feed authentication logs into security information and event management platforms to correlate lockout events with other security data, enabling comprehensive threat detection and response.

Implement safeguards that prevent attackers from weaponizing your lockout policy to deny service to legitimate users.

• Implement IP-based controls: Consider rate limiting or blocking IP addresses that trigger multiple lockouts across different accounts, indicating password spraying or distributed attacks. Use caution to avoid blocking legitimate shared connections.
• Deploy CAPTCHA after failed attempts: Present CAPTCHA challenges after 2-3 failed attempts from the same session, preventing automated tools from continuing attempts while allowing legitimate humans to proceed after verification.
• Create bypass procedures for critical accounts: Establish verified emergency procedures for unlocking critical service accounts or executive accounts during attacks, ensuring business continuity while maintaining security controls.

Create clear documentation and conduct user education to ensure the lockout policy is understood and properly utilized across the organization.

• Create user-facing documentation: Develop clear guidance explaining why lockouts occur, how many attempts are allowed, what happens when locked, and how to recover access. Make this easily accessible in your knowledge base or intranet.
• Train help desk staff: Ensure IT support personnel understand the policy, can verify user identity appropriately before unlocking accounts, and know how to identify potential attacks requiring security team escalation.
• Conduct security awareness training: Include lockout policy in general security training, explaining how it protects the organization and what users should do if they experience repeated lockouts (which might indicate an attack on their account).

Continuously monitor the effectiveness of your lockout policy and adjust based on operational experience and evolving threat landscape.

• Analyze lockout metrics monthly: Review the number of lockouts, unlock requests, and patterns to identify whether your thresholds are too strict (causing user frustration) or too lenient (allowing attack attempts).
• Investigate repeated lockout patterns: Users who experience frequent lockouts may need training, may be using problematic passwords, or may be targets of repeated attacks, each requires different intervention.
• Stay current with guidance: Monitor updates from NIST, NCSC, and other authorities on authentication best practices, adjusting your policy as recommendations evolve to address new attack techniques.