Assembly: System.Web (in system.web.dll)
Property ValueThe time window, in minutes, during which consecutive failed attempts to provide a valid password or password answer are tracked. The default is 10 minutes. If the interval between the current failed attempt and the last failed attempt is greater than the PasswordAttemptWindow property setting, each failed attempt is treated as if it were the first failed attempt.
The PasswordAttemptWindow property works in conjunction with the MaxInvalidPasswordAttempts property to help guard against an unwanted source guessing the password or password answer of a membership user through repeated attempts. When a user attempts to log in with, change, or reset his or her password, only a certain number of consecutive attempts are allowed within a specified time window. The length of this time window is specified in the PasswordAttemptWindow property, which identifies the number of minutes allowed between invalid attempts.
If the number of consecutive failed attempts that a user makes to reset his or her password equals the value stored in the MaxInvalidPasswordAttempts property, and the time elapsed since the last invalid attempt is less than the number of minutes specified in the PasswordAttemptWindow property, then the membership user is locked out. The user is locked out by setting the IsLockedOut property to true until the user is unlocked by a call to the UnlockUser method.
If the interval between the current failed attempt and the last failed attempt is greater than the PasswordAttemptWindow property setting, the current invalid attempt is counted as the first. If a valid password answer is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password-answer attempts is set to 0 (zero). If a valid password is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password attempts and the count of invalid password-answer attempts are set to 0 (zero).
Invalid password and password-answer attempts accumulate independently of one another. For example, if the MaxInvalidPasswordAttempts is set to 5, and three invalid password attempts are made followed by two invalid password-answer attempts, two more invalid password attempts (or three more invalid password-answer attempts) must be made within PasswordAttemptWindow for the membership user to be locked out.
The PasswordAttemptWindow property value is set in the application configuration by using the passwordAttemptWindow attribute of the membership configuration-element section.
If the RequiresQuestionAndAnswer property is set to false, invalid password-answer attempts are not tracked.
The following code example shows the membership element in the system.web section of the Web.config file for an ASP.NET application. It specifies that the application use an instance of the SqlMembershipProvider and sets the passwordAttemptThreshold attribute to five invalid attempts and the passwordAttemptWindow to 30 minutes.
<membership defaultProvider="SqlProvider" userIsOnlineTimeWindow="20"> <providers> <add name="SqlProvider" type="System.Web.Security.SqlMembershipProvider" connectionStringName="SqlServices" requiresQuestionAndAnswer="true" maxInvalidPasswordAttempts="5" passwordAttemptWindow="30" applicationName="MyApplication" /> </providers> </membership>