The Membership.MaxInvalidPasswordAttempts works in conjunction with the Membership.PasswordAttemptWindow to guard against an unwanted source guessing the password or password answer of a membership user through repeated attempts. If the number of invalid passwords or password questions supplied for a membership user is greater than or equal to the value of the Membership.MaxInvalidPasswordAttempts property within the number of minutes identified by the value of the Membership.PasswordAttemptWindow property, then the membership user is locked out by setting the MembershipUser.IsLockedOut property to true until the user is unlocked with the MembershipUser.UnlockUser method. If a valid password is supplied before the Membership.MaxInvalidPasswordAttempts value is reached, the counters that track the number of invalid password and password-answer attempts are reset to zero. If a valid password answer is supplied before the Membership.MaxInvalidPasswordAttempts value is reached, only the counter that tracks the number of invalid password-answer attempts is reset to zero.

The System.Web.Security.SqlMembershipProvider keeps counts of invalid password attempts and invalid password-answer attempts separately. Invalid password attempts result in only the password-attempt counter being incremented. Invalid password-answer attempts result in only the password-answer counter being incremented.

The Membership.MaxInvalidPasswordAttempts property value is set in the application configuration using the maxInvalidPasswordAttempts attribute of the membership configuration section.

If the Membership.RequiresQuestionAndAnswer property is set to false, invalid password-answer attempts are not tracked.