You have three tries before lockout - why three?

K Renaud, R. English, T. Wynne, F. Weber

Research output: Chapter in Book/Report/Conference proceedingConference contribution book

2 Citations (Scopus)


It is considered good practice to lock users out if they enter the wrong password three times. This is applied almost universally by systems across the globe. Three tries was probably considered a good balance originally between allowing the legitimate user to make some genuine errors and foiling an attacker. This rule makes sense intuitively yet there is no empirical evidence that three tries is the most efficacious number. It is entirely possible that the number should not be three, but some other number, such as two, five or even seven. It is very hard to test this since attempts could be either a legitimate user attempting to recall his/her password, or an intruder trying to breach the account. If an attacker is allowed more attempts one could imagine the system's security being compromised. Here we argue for the use of a simulation engine to test the effects of such password-related security measures on the security of the entire eco-system. A simulation approach expedites no-risk empirical testing. We use a simulator called SimPass, which models both user password-related behaviour and potential password-based attacks from within and outside an organization. We provide evidence of the expected security impact of increasing the prevalence of password sharing. That is it will lead to increased use of others' credentials and a lack of accountability. We then test different settings for locking of accounts after a certain number of failed authentication attempts to determine a potentially optimal setting. We find that a three times lockout policy might well be too stringent and deserves further investigation.

Original languageEnglish
Title of host publicationProceedings of the Eighth International Symposium on Human Aspects of Information Security & Assurance (HAISA) 2014
Place of PublicationPlymouth, UK
Number of pages11
Publication statusPublished - 1 Jul 2014
Externally publishedYes
Event8th International Symposium on Human Aspects of Information Security and Assurance, HAISA 2014 - Plymouth, United Kingdom
Duration: 8 Jul 20149 Jul 2014


Conference8th International Symposium on Human Aspects of Information Security and Assurance, HAISA 2014
Country/TerritoryUnited Kingdom


  • passwords
  • security policies
  • simulation


Dive into the research topics of 'You have three tries before lockout - why three?'. Together they form a unique fingerprint.

Cite this