The Membership.MaxInvalidPasswordAttempts property works in conjunction with the Membership.PasswordAttemptWindow property to guard against an unwanted source guessing the password or password answer of a membership user through repeated attempts. If the number of invalid passwords or password questions supplied for a membership user is greater than or equal to the Membership.MaxInvalidPasswordAttempts property value within the number of minutes identified by the Membership.PasswordAttemptWindow, then the membership user is locked out by setting the MembershipUser.IsLockedOut property to true until the user is unlocked by a call to the MembershipUser.UnlockUser method. If a valid password or password answer is supplied before the Membership.MaxInvalidPasswordAttempts value is reached, the counter that tracks the number of invalid attempts is reset to zero.

Invalid password and password-answer attempts accumulate independently of one another. For example, if the Membership.MaxInvalidPasswordAttempts property is set to 5, and three invalid password attempts are made followed by two invalid password-answer attempts, two more invalid password attempts (or three more invalid password-answer attempts) must be made within the Membership.PasswordAttemptWindow for the membership user to be locked out.

If the Membership.RequiresQuestionAndAnswer property is set to false, invalid password-answer attempts are not tracked.

Invalid password and password-answer attempts are tracked in the MembershipProvider.ValidateUser(string, string), MembershipProvider.ChangePassword(string, string, string), MembershipProvider.ChangePasswordQuestionAndAnswer(string, string, string, string), MembershipProvider.GetPassword(string, string), and MembershipProvider.ResetPassword(string, string) methods.