Setting up an account lockout policy

The Account Lockout Policy page of the Administration Console allows you to set up an account lockout policy for different user roles within WebSphere Commerce. This page lists all existing account lockout policies including any predefined ones supplied with WebSphere Commerce by default. An account lockout policy disables a user account if malicious actions are launched against that account in order to reduce the chances that the actions compromise the account.

An account lockout policy enforces the following items:
  • The account lockout threshold. This is the number of invalid logon attempts before the account is disabled. By setting this number too low, you risk locking out legitimate users that mistyped their password or have difficulty remembering their password, and potentially overwhelming your CSR team if an attacker is trying to lockout several account. By setting this number too high, you avoid the aforementioned risks, but it's more likely to make your site vulnerable to a brute force attack of guessing passwords. Choose a threshold that best suits your security requirements.
  • Consecutive unsuccessful login delay. This is the time period for which the user is not allowed to login, after two failed attempts to login. The delay gets incremented by the configured time delay value (for example, 10 seconds) with every consecutive login failure.
Note: Account lockout does not work with LDAP enabled.

Procedure

  1. Open the Administration Console and select Site on the Administration Console Site/Store Selection page.
  2. Click Security > Account Lockout Policy.
  3. The Account Lockout Policy page lists all existing account lockout policies. On this page:
    • You can create a new policy by clicking New.
      1. Enter a name for the account lockout policy in the Name field (for example, my_policy).
      2. Enter an account lockout threshold in the Account lockout threshold field. For example, enter 6 (for six attempts)
      3. Enter the consecutive unsuccessful login delay in seconds in the Wait time field. For enter 10 (for ten seconds).
      4. Click OK.
    • You can change the characteristics an existing policy by selecting the policy in the list and clicking Change.
    • You can delete an existing policy by selecting the policy in the list and clicking Delete.
      Note:
      1. You cannot delete an account lockout policy if it is in use (that is, a user is assigned to the account lockout policy).
      2. Account lockout policies are enforced only if users are authenticated against the WebSphere Commerce database.