SqlMembershipProvider.MaxInvalidPasswordAttempts Property
Definition
Important
Some information relates to prerelease product that may be substantially modified before it’s released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
Gets the number of invalid password or password-answer attempts allowed before the membership user is locked out.
public:
virtual property int MaxInvalidPasswordAttempts { int get(); };public override int MaxInvalidPasswordAttempts { get; }member this.MaxInvalidPasswordAttempts : intPublic Overrides ReadOnly Property MaxInvalidPasswordAttempts As IntegerProperty Value
The number of invalid password or password-answer attempts allowed before the membership user is locked out.
Examples
The following code example shows the membership element in the system.web section of the Web.config file for an ASP.NET application. It specifies that the application use an instance of the SqlMembershipProvider and sets the maxInvalidPasswordAttempts attribute to five invalid attempts and the passwordAttemptWindow to 30 minutes.
<membership defaultProvider="SqlProvider"
userIsOnlineTimeWindow="20">
<providers>
<add name="SqlProvider"
type="System.Web.Security.SqlMembershipProvider"
connectionStringName="SqlServices"
requiresQuestionAndAnswer="true"
maxInvalidPasswordAttempts="5"
passwordAttemptWindow="30"
applicationName="MyApplication" />
</providers>
</membership>
Remarks
The MaxInvalidPasswordAttempts works in conjunction with the PasswordAttemptWindow to guard against an unwanted source guessing the password or password answer of a membership user through repeated attempts. If the number of invalid passwords or password questions supplied for a membership user is greater than or equal to the value of the MaxInvalidPasswordAttempts property within the number of minutes identified by the value of the PasswordAttemptWindow property, then the membership user is locked out by setting the IsLockedOut property to true until the user is unlocked with the UnlockUser method. If a valid password is supplied before the MaxInvalidPasswordAttempts value is reached, the counters that track the number of invalid password and password-answer attempts are reset to zero. If a valid password answer is supplied before the MaxInvalidPasswordAttempts value is reached, only the counter that tracks the number of invalid password-answer attempts is reset to zero.
The SqlMembershipProvider keeps counts of invalid password attempts and invalid password-answer attempts separately. Invalid password attempts result in only the password-attempt counter being incremented. Invalid password-answer attempts result in only the password-answer counter being incremented.
The MaxInvalidPasswordAttempts property value is set in the application configuration using the maxInvalidPasswordAttempts attribute of the membership configuration section.
If the RequiresQuestionAndAnswer property is set to false, invalid password-answer attempts are not tracked.
