The SqlMembershipProvider.PasswordAttemptWindow property works in conjunction with the SqlMembershipProvider.MaxInvalidPasswordAttempts property to help guard against an unwanted source guessing the password or the password answer of a membership user through repeated attempts. When users are attempting to log in, change their password, or reset their password, only a certain number of consecutive attempts are allowed within a specified time window. The length of the time window is specified by the SqlMembershipProvider.PasswordAttemptWindow property, which identifies the number of minutes allowed between invalid attempts. If the number of consecutive failed attempts that a user makes to reset his or her password equals the value stored in the SqlMembershipProvider.MaxInvalidPasswordAttempts property, and the time elapsed since the last invalid attempt is less than the number of minutes specified for the SqlMembershipProvider.PasswordAttemptWindow property, then the membership user is locked out by setting the MembershipUser.IsLockedOut property to true. The user can be unlocked by calling the MembershipUser.UnlockUser method. If the interval between the current failed attempt and the last failed attempt is greater than the SqlMembershipProvider.PasswordAttemptWindow property setting, the current invalid attempt is counted as the first. If a valid password answer is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password-answer attempts is set to zero. If a valid password is supplied before the maximum number of allowed invalid attempts is reached, the count of invalid password attempts and the count of invalid password-answer attempts are set to zero.

The System.Web.Security.SqlMembershipProvider keeps count of invalid password attempts and invalid password-answer attempts separately. Invalid password attempts result in only the password-attempt counter being incremented. Invalid password-answer attempts result in only the password-answer counter being incremented.

The Membership.PasswordAttemptWindow property value is set in the application configuration using the passwordAttemptWindow attribute of the membership configuration section.

If the Membership.RequiresQuestionAndAnswer property is set to false, invalid password-answer attempts are not tracked.