Lock User Accounts After Failed Login Attempts
User accounts lock after five wrong passwords to increase security.
Plain language
This control means that if someone tries five times to enter the wrong password for a user's account, the account gets temporarily locked. This is crucial because it helps prevent unauthorised people from guessing passwords over and over in an attempt to break into the system.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningTopic
User Account LockoutsOfficial control statement
User accounts, except for break glass accounts, are locked out after a maximum of five failed logon attempts.
Why it matters
Without account lockout after failed attempts, systems are vulnerable to brute force attacks, risking unauthorised access and data breaches.
Operational notes
Monitor lockout events and trends, validate the lockout threshold is set to five failed logons, and investigate repeated lockouts for brute force activity.
Implementation tips
- The IT team should configure the user account settings in the system to automatically lock an account after five incorrect login attempts. They can do this by accessing the user management or security settings in the main software or system used by the organisation.
- Managers should communicate the new account lockout policy to all employees through a memo or a meeting. This ensures everyone is aware of the potential lockout and knows to be cautious when entering passwords.
- The IT team should regularly monitor the system for any accounts that get locked frequently and investigate if there's unusual activity. They can check system logs and user account histories to ensure there are no security threats.
- Managers or HR should establish a process for employees to follow if their account gets locked. This might involve contacting a specific IT support person who can verify the user's identity and unlock the account.
- The IT team should ensure that exceptions, like 'break glass' accounts used in emergencies, are properly documented and managed. These should have extra security measures in place and be used only when absolutely necessary.
Audit / evidence tips
-
Askthe company's account lockout policy document: Request the document that outlines the rules for locking user accounts after failed logins
Goodis a clearly defined policy stating accounts are locked after five failed attempts
-
Goodshows logs that clearly identify the number of failed attempts per account, with timestamps and actions taken
-
Askthe records of exception accounts: Specifically, inquire about how 'break glass' accounts are handled
Goodincludes records of these accounts and notes on their controlled access
-
Goodincludes clear steps taken to verify user identity and unlock accounts
-
Askstaff training materials related to account lockouts: Ensure that employees have been educated about the policy
Goodincludes a training schedule and materials that explicitly cover the account lockout policy
Cross-framework mappings
How ISM-1403 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.15 | ISM-1403 requires user accounts (except break glass accounts) to be locked after a maximum of five failed logon attempts, addressing spec... | |
| Annex A 8.3 | ISM-1403 mandates a specific response to failed login attempts by locking accounts after five failures, excluding break glass accounts | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.