An
account lockout policy disables accounts after a defined number of failed login attempts — preventing brute-force and password-spraying attacks.
Balance security vs. usability. Too aggressive = DoS via intentional lockouts. Typical settings: 5 attempts, 30-min lockout. Audit lockout events — high frequency may indicate an attack.