You have three tries before lockout – Why three?

Karen Renaud, Rosanne English, Thomas Wynne, Florian Weber

Research output: Contribution to conferencePaperpeer-review

21 Downloads (Pure)


It is considered good practice to lock users out if they enter the wrong password three times. This is applied almost universally by systems across the globe. Three tries is probably considered a good balance between allowing the legitimate user to make some genuine errors and foiling an attacker. It must be acknowledged that this rule makes sense intuitively yet there is no empirical evidence that three tries is the most efficacious number. It is entirely possible that the number should not be three, but some other number, such as five or even seven. It is very hard to test this since attempts could be either a legitimate user attempting to recall his/her password, or an intruder trying to breach the account. If an attacker is allowed more attempts one could imagine the system’s security being compromised. Here we argue for the use of a simulation engine to test the effects of such password-related security measures on the security of the entire eco-system. A simulation approach expedites no-risk empirical testing. We use a simulator called SimPass which models both user password-related behaviour and potential password-based attacks from within and outside an organization. We will firstly validate SimPass’s output by quantifying the security impact of increasing the prevalence of password sharing. This kind of behaviour has predictable results, since increased sharing will inevitably lead to more use of others’ credentials. Having shown that SimPass produces credible results, we then test different settings for locking of accounts after a certain number of failed authentication attempts to determine the optimal setting. We find that a three times lockout policy might well be too stringent.
Original languageEnglish
Number of pages10
Publication statusPublished - 9 Jul 2014
Event8th International Symposium on Human Aspects of Information Security and Assurance, HAISA 2014 - Plymouth, United Kingdom
Duration: 8 Jul 20149 Jul 2014


Conference8th International Symposium on Human Aspects of Information Security and Assurance, HAISA 2014
Country/TerritoryUnited Kingdom


  • passwords
  • simulation
  • security policies
  • SimPass
  • password-related behavior
  • authentication


Dive into the research topics of 'You have three tries before lockout – Why three?'. Together they form a unique fingerprint.

Cite this