The Membership.PasswordAttemptWindow property works in conjunction with the Membership.MaxInvalidPasswordAttempts property to help guard against an unwanted source guessing the password or password answer of a membership user through repeated attempts. When a user attempts to log in with, change, or reset his or her password, only a certain number of consecutive attempts are allowed within a specified time window. The length of this time window is specified in the Membership.PasswordAttemptWindow property, which identifies the number of minutes allowed between invalid attempts.

If the number of consecutive failed attempts that a user makes to reset his or her password equals the value stored in the Membership.MaxInvalidPasswordAttempts property, and the time elapsed since the last invalid attempt is less than the number of minutes specified in the Membership.PasswordAttemptWindow property, then the membership user is locked out. The user is locked out by setting the MembershipUser.IsLockedOut property to true until the user is unlocked by a call to the MembershipUser.UnlockUser method.

If the interval between the current failed attempt and the last failed attempt is greater than the Membership.PasswordAttemptWindow property setting, the current invalid attempt is counted as the first. If a valid password answer is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password-answer attempts is set to 0 (zero). If a valid password is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password attempts and the count of invalid password-answer attempts are set to 0 (zero).

Invalid password and password-answer attempts accumulate independently of one another. For example, if the Membership.MaxInvalidPasswordAttempts is set to 5, and three invalid password attempts are made followed by two invalid password-answer attempts, two more invalid password attempts (or three more invalid password-answer attempts) must be made within Membership.PasswordAttemptWindow for the membership user to be locked out.

The Membership.PasswordAttemptWindow property value is set in the application configuration by using the passwordAttemptWindow attribute of the membership configuration-element section.

If the Membership.RequiresQuestionAndAnswer property is set to false, invalid password-answer attempts are not tracked.

Namespace: System.Web.Security
Assembly: System.Web (in System.Web.dll)
Assembly Versions: 2.0.0.0
Since: .NET 2.0