Setting up an account lockout policy

The account lockout policy in the management center can be set with the security policy. An account lockout policy locks or disables a user account if malicious actions are launched against that account in order to reduce the chances that the actions compromise the account.

An account lockout policy enforces the following items:
  • The account lockout threshold. This is the number of invalid logon attempts before the account is disabled. By setting this number too low, you risk locking out legitimate users that mistyped their password or have difficulty remembering their password, and potentially overwhelming your CSR team if an attacker is trying to lockout several account. By setting this number too high, you avoid the aforementioned risks, but it's more likely to make your site vulnerable to a brute force attack of guessing passwords. Choose a threshold that best suits your security requirements.
  • Consecutive unsuccessful login delay. This is the time period for which the user is not allowed to login, after two failed attempts to login. The delay gets incremented by the configured time delay value (for example, 10 seconds) with every consecutive login failure.
  • Account lockout does not work with LDAP enabled.


  1. Open Management Center Tools.
  2. From Hamburger menu, click System Administration > Security Policies.
  3. The Security Policy page lists all the existing security policies.
    • The new security policy will have it's own password policy.
      1. Enter a name of the security policy and click Next. From the Define Lockout policy, create a new lockout policy required for the security policy.
      2. Enter an account lockout threshold in the Account lockout threshold field. For example, enter 6 (for six attempts)
      3. Enter the consecutive unsuccessful login delay in seconds in the Wait time field. For example, enter 10 (for ten seconds).
      4. Click Finish.
    • You can change the characteristics an existing policy by selecting the policy in the list and changing the existing values as required. Click Save to save the change.
    • You can delete an existing policy by selecting the policy in the list and clicking Delete.
      1. You cannot delete an account lockout policy if it is in use (that is, a user is assigned to the account lockout policy).
      2. Account lockout policies are enforced only if users are authenticated against the HCL Commerce database.