SqlMembershipProvider.MaxInvalidPasswordAttempts Property

Definition

Gets the number of invalid password or password-answer attempts allowed before the membership user is locked out.

public:
 virtual property int MaxInvalidPasswordAttempts { int get(); };
public override int MaxInvalidPasswordAttempts { get; }
member this.MaxInvalidPasswordAttempts : int
Public Overrides ReadOnly Property MaxInvalidPasswordAttempts As Integer

Property Value

The number of invalid password or password-answer attempts allowed before the membership user is locked out.

Examples

The following code example shows the membership element in the system.web section of the Web.config file for an ASP.NET application. It specifies that the application use an instance of the SqlMembershipProvider and sets the maxInvalidPasswordAttempts attribute to five invalid attempts and the passwordAttemptWindow to 30 minutes.

<membership defaultProvider="SqlProvider"   
  userIsOnlineTimeWindow="20">  
    <providers>  
      <add name="SqlProvider"  
        type="System.Web.Security.SqlMembershipProvider"  
        connectionStringName="SqlServices"  
        requiresQuestionAndAnswer="true"  
        maxInvalidPasswordAttempts="5"  
        passwordAttemptWindow="30"  
        applicationName="MyApplication" />  
    </providers>  
</membership>  

Remarks

The MaxInvalidPasswordAttempts works in conjunction with the PasswordAttemptWindow to guard against an unwanted source guessing the password or password answer of a membership user through repeated attempts. If the number of invalid passwords or password questions supplied for a membership user is greater than or equal to the value of the MaxInvalidPasswordAttempts property within the number of minutes identified by the value of the PasswordAttemptWindow property, then the membership user is locked out by setting the IsLockedOut property to true until the user is unlocked with the UnlockUser method. If a valid password is supplied before the MaxInvalidPasswordAttempts value is reached, the counters that track the number of invalid password and password-answer attempts are reset to zero. If a valid password answer is supplied before the MaxInvalidPasswordAttempts value is reached, only the counter that tracks the number of invalid password-answer attempts is reset to zero.

The SqlMembershipProvider keeps counts of invalid password attempts and invalid password-answer attempts separately. Invalid password attempts result in only the password-attempt counter being incremented. Invalid password-answer attempts result in only the password-answer counter being incremented.

The MaxInvalidPasswordAttempts property value is set in the application configuration using the maxInvalidPasswordAttempts attribute of the membership configuration section.

If the RequiresQuestionAndAnswer property is set to false, invalid password-answer attempts are not tracked.

Applies to

See also