Account Lockout Policies: A strong defence against unauthorised logins

Brute force attacks are one method that threat actors use to guess a password and gain access to business accounts. Attackers systematically submit all possible password combinations until guessing the correct one, using modern brute force tools that can generate many combinations quickly, especially if they know the password structure. 

These attacks remain a persistent threat to systems with weak or commonly used passwords. In the latest Notifiable Data Breaches report, the Office of the Australian Information Commissioner (OAIC) found that brute-force attacks affected the most individuals worldwide, with an average of 1,667,293 people impacted.

An account lockout policy provides one layer of protection against these threats by disabling a user account after a certain number of incorrect password entries within a set time frame.

How an account lockout policy indicates a cyber attack

Account lockouts will seldom impact users, provided they have remembered their details. So, if a user becomes locked out of their account, it can indicate login attempts from a threat actor. The key warning signs include:

  1. Frequent account lockouts signify that a threat actor has targeted a specific account, especially if the account owner has not attempted to log in recently.
  2. Multiple attempts from unrecognised IP addresses also indicate that an unauthorised user has attempted to log in.
  3. A sudden spike in login attempts, especially across different accounts and over a short period, indicates a brute force attack.
  4. Attempts on dormant accounts suggest attackers have tried to target accounts your organisation might not monitor. It is best practice not to leave unused accounts open; this is one example of why.

What are the limitations of account lockout policies?

An account lockout policy should not be the only solution implemented to protect accounts. Solely relying on them can give a false sense of security. Your organisation should complement these policies with other methods, such as multi-factor authentication (MFA), to further prevent successful logins.

Account lockout policies do not protect accounts from phishing. A determined threat actor might bypass account lockouts by manipulating your team into sharing details. Your team should receive training for recognising phishing attempts and reporting them to the necessary people in the business.

What can your team do?

Your team are the first line of defence and must understand the imperative to protect their accounts. By adopting a few straightforward and effective measures, your team can prevent getting locked out of their accounts and raise potential security breaches.

Complex passwords are an excellent method to prevent dictionary attacks, which cycle through words to guess a password. A password manager can suggest and store strong passwords to prevent users from guessing and re-entering passwords.

Your team should monitor their accounts for suspicious activity and respond to notifications of suspicious login attempts to catch unusual patterns or actions. Team training should cover who people should report these incidents to and the steps they can take to further protect their accounts.


Account lockout policies can provide an excellent layer of protection against brute-force attacks and can indicate suspicious activity. However, they are not an organisation’s only solution to secure accounts and the associated data. In addition to an account lockout policy, your organisation should encourage people to implement MFA, monitor activity on their account and remain vigilant of phishing attempts.

Layer 8 educates teams on protecting their accounts

A lack of cyber awareness in a business leads to easy mistakes such as staff clicking phishing links or writing passwords on Post-It notes. Standard training sessions, such as PowerPoint presentations and lectures, are not enough to engage your team and encourage them to use cyber security best practices.

Our Cyber Escape Rooms engage your team with gamification techniques that encourage knowledge retention. As a result, your team can actively protect the business rather than forgetting about cyber security best practices later on and making a mistake. Visit our Cyber Escape Rooms page for more information and to book a preview session.

Related blogs

8 essential components of a solid cyber security education plan

Unmasking the hidden risks of multi-factor authentication

5 ways to prevent insider threats in your business

Popular Posts