SqlMembershipProvider.MaxInvalidPasswordAttempts Property

Gets the number of invalid password or password-answer attempts allowed before the membership user is locked out.

Namespace: System.Web.Security
Assembly: System.Web (in system.web.dll)

public override int MaxInvalidPasswordAttempts { get; }
/** @property */
public int get_MaxInvalidPasswordAttempts ()

public override function get MaxInvalidPasswordAttempts () : int

Not applicable.

Property Value

The number of invalid password or password-answer attempts allowed before the membership user is locked out.

The MaxInvalidPasswordAttempts works in conjunction with the PasswordAttemptWindow to guard against an unwanted source guessing the password or password answer of a membership user through repeated attempts. If the number of invalid passwords or password questions supplied for a membership user is greater than or equal to the value of the MaxInvalidPasswordAttempts property within the number of minutes identified by the value of the PasswordAttemptWindow property, then the membership user is locked out by setting the IsLockedOut property to true until the user is unlocked with the UnlockUser method. If a valid password is supplied before the MaxInvalidPasswordAttempts value is reached, the counters that track the number of invalid password and password-answer attempts are reset to zero. If a valid password answer is supplied before the MaxInvalidPasswordAttempts value is reached, only the counter that tracks the number of invalid password-answer attempts is reset to zero.

The SqlMembershipProvider keeps counts of invalid password attempts and invalid password-answer attempts separately. Invalid password attempts result in only the password-attempt counter being incremented. Invalid password-answer attempts result in only the password-answer counter being incremented.

The MaxInvalidPasswordAttempts property value is set in the application configuration using the maxInvalidPasswordAttempts attribute of the membership configuration section.

If the RequiresQuestionAndAnswer property is set to false, invalid password-answer attempts are not tracked.

The following code example shows the membership element in the system.web section of the Web.config file for an ASP.NET application. It specifies that the application use an instance of the SqlMembershipProvider and sets the maxInvalidPasswordAttempts attribute to five invalid attempts and the passwordAttemptWindow to 30 minutes.

<membership defaultProvider="SqlProvider" 
      <add name="SqlProvider"
        applicationName="MyApplication" />

Windows 98, Windows Server 2000 SP4, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition

The Microsoft .NET Framework 3.0 is supported on Windows Vista, Microsoft Windows XP SP2, and Windows Server 2003 SP1.

.NET Framework

Supported in: 3.0, 2.0