Back to Security Pattern Catalog

Account Lockout

Classification Key : Perimeter Security, Spoofing


Passwords are vulnerable to password guessing attacks. How can the systems login mechanism be protected from password guessing attacks?


Limit the number of incorrect password entry attempts. The server keeps an account of the consecutive failed password attempts. When a user successfully logs in this count is cleared. Once a pre-defined threshold value of consecutive failures is reached, the account is locked. The system should function normally and deny every request from that on so that the attacker does not know whether the system is locked or he is not guessing the right password. The account is only unlocked after the correct user makes an explicit request for unlocking the account.

Known Uses

Online banking system login window, traditional password and PIN systems.

Related Patterns

Hidden Implementation, Encrypted Storage, Network Address Blacklist


Kienzle et. al. Repository


Authentication, User Interface


Last modified: May 05, 2012

Conceived and Maintained by: Munawar Hafiz