Account lockout policy

Use this page to set up an account lockout policy for different user roles within HCL Commerce. It lists all existing account lockout policies including any predefined ones supplied with HCL Commerce by default. An account lockout policy locks or disables a user account if malicious actions are launched against that account in order to reduce the chances that the actions compromise the account.

The account lockout policy enforces the following items:

  • The account lockout threshold. This is the number of invalid logon attempts before the account is disabled. By setting this number too low, you risk locking out legitimate users that mistyped their password or have difficulty remembering their password, and potentially overwhelming your CSR team if an attacker is trying to lockout several account. By setting this number too high, you avoid the aforementioned risks, but it's more likely to make your site vulnerable to a brute force attack of guessing passwords. Choose a threshold that best suits your security requirements.
  • Consecutive unsuccessful login delay. It is the time period for which the user is not allowed to login, after two failed attempts to login. The delay gets incremented by the configured time delay value (for example, 10 seconds) with every consecutive login failure.
  • HCL Commerce Version or laterUpon reaching the account lockout threshold, the user account is locked. Site users can reset their password and unlock the account by using the Forgot password feature flow. Prior to version, the user account was disabled and could not be re-enabled by the site user.

The Account Lockout Policy page lists all existing account lockout policies. On this page:

  • You can create a new policy by clicking New.
  • You can change the characteristics an existing policy by selecting the policy in the list and clicking Change.
  • You can delete an existing policy by selecting the policy in the list and clicking Delete.

When you are Creating an account lockout policy, complete the following fields:

The name of your account lockout policy (for example, my_policy).
Account lockout threshold
The number of unsuccessful attempts to log onto to the account after which the account is locked out. For example, enter 6 (for 6 attempts).
Wait time
The consecutive unsuccessful login delay in seconds. For example, enter 10 (for 10 seconds).


  • You cannot delete an account lockout policy if it is in use (that is, a user is assigned to the account lockout policy).
  • Account lockout policies are enforced only if users are authenticated against the HCL Commerce database.