This documentation is archived and is not being maintained.

SqlMembershipProvider.MaxInvalidPasswordAttempts Property

Gets the number of invalid password or password-answer attempts allowed before the membership user is locked out.

Namespace:  System.Web.Security
Assembly:  System.Web (in System.Web.dll)

public override int MaxInvalidPasswordAttempts { get; }

Property Value

Type: System.Int32
The number of invalid password or password-answer attempts allowed before the membership user is locked out.

The MaxInvalidPasswordAttempts works in conjunction with the PasswordAttemptWindow to guard against an unwanted source guessing the password or password answer of a membership user through repeated attempts. If the number of invalid passwords or password questions supplied for a membership user is greater than or equal to the value of the MaxInvalidPasswordAttempts property within the number of minutes identified by the value of the PasswordAttemptWindow property, then the membership user is locked out by setting the IsLockedOut property to true until the user is unlocked with the UnlockUser method. If a valid password is supplied before the MaxInvalidPasswordAttempts value is reached, the counters that track the number of invalid password and password-answer attempts are reset to zero. If a valid password answer is supplied before the MaxInvalidPasswordAttempts value is reached, only the counter that tracks the number of invalid password-answer attempts is reset to zero.

The SqlMembershipProvider keeps counts of invalid password attempts and invalid password-answer attempts separately. Invalid password attempts result in only the password-attempt counter being incremented. Invalid password-answer attempts result in only the password-answer counter being incremented.

The MaxInvalidPasswordAttempts property value is set in the application configuration using the maxInvalidPasswordAttempts attribute of the membership configuration section.

If the RequiresQuestionAndAnswer property is set to false, invalid password-answer attempts are not tracked.

The following code example shows the membership element in the system.web section of the Web.config file for an ASP.NET application. It specifies that the application use an instance of the SqlMembershipProvider and sets the maxInvalidPasswordAttempts attribute to five invalid attempts and the passwordAttemptWindow to 30 minutes.

<membership defaultProvider="SqlProvider" 
      <add name="SqlProvider"
        applicationName="MyApplication" />

Windows 7, Windows Vista, Windows XP SP2, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP Starter Edition, Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, Windows Server 2000 SP4, Windows Millennium Edition, Windows 98

The .NET Framework and .NET Compact Framework do not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

.NET Framework

Supported in: 3.5, 3.0, 2.0