If you’re worried about someone trying to guess your Windows password, you can have Windows temporarily block sign in attempts after a specific number of failed attempts.
Assuming you haven’t set Windows up to sign you in automatically, Windows allows an unlimited number of password attempts for local user accounts at the sign in screen. While it’s handy if you can’t remember your password, it also offers other people who have physical access to your PC an unlimited number of tries to get in. While there are still ways people can bypass or reset a password, setting up your PC to temporarily suspend sign in attempts after several failed attempts can at least help prevent casual break-in attempts if you’re using a local user account. Here’s how to get it set up.
A couple of quick notes before you get started. Using this setting can let somebody prank you by incorrectly entering the password several times and thus locking you out of your PC for a time. It would be wise to have another administrator account that can unlock the regular account.
Also, these settings only apply to local user accounts, and will not work if you sign on to Windows 8 or 10 using a Microsoft account. If you want to use the lockout settings, you’d need to revert your Microsoft account to a local one first. If you prefer to keep using your Microsoft account, you can head to your security settings page and log in. There, you’ll be able to change things like adding two-step verification, setting up trusted devices, and more. Unfortunately, there is no lockout setting for Microsoft accounts that works like the one we’re covering here for local accounts. However, these settings will work just fine for local user accounts in Windows 7, 8, and 10.
Home Users: Set a Sign In Limit with the Command Prompt
If you’re using a Home edition of Windows, you’ll need to use the Command Prompt to set a limit on sign in attempts. You can also set the limit this way if you’re using a Pro or Enterprise edition of Windows, but if you are using one of those editions you can do it much more easily using the Local Group Policy Editor (which we cover a bit later in this article).
Please note that you’ll need to complete all of the following instructions or you could end up locking yourself out completely.
To start, you’ll need to open the Command Prompt with administrative privileges. Right-click the Start menu (or hit Windows+X on your keyboard) to open the Power Users menu, then click “Command Prompt (Admin).”
Note: If you see PowerShell instead of Command Prompt on the Power Users menu, that’s a switch that came about with the Creators Update for Windows 10. It’s very easy to switch back to showing the Command Prompt on the Power Users menu if you want, or you can give PowerShell a try. You can do pretty much everything in PowerShell that you can do in Command Prompt, plus a lot of other useful things.
At the prompt, type the following command and then hit Enter:
This command lists your current password policy, which by default should be “Lockout threshold: Never,” which means that your account will not lock you out no matter how many times a password is entered incorrectly.
You’ll start by setting the lockout threshold to the number of failed sign in attempts you want to allow before sign in is temporarily locked. You can set the number to anything you like, but we recommend setting it to at least three. This way, you have room to accidentally type the wrong password a time or two before locking yourself out. Just type the following following command, substituting the number at the end with the number of failed password attempts you want to allow.
net accounts /lockoutthreshold:3
Now, you’re going to set a lockout duration. This number specifies how long, in minutes, an account will be locked out if the threshold for failed password attempts is reached. We recommend 30 minutes, but you can set whatever you like here.
net accounts /lockoutduration:30
And finally, you’re going to set a lockout window. This number specifies how long in minutes before the counter for failed password attempts is reset, assuming the actual lockout threshold is not reached. So, for example, say the lockout duration is 30 minutes and the lockout threshold is three attempts. You could could enter two bad passwords, wait 30 minutes after the last bad password attempt, and then have three more tries. Set the lockout window using the following command, replacing the number at the end with the number of minutes you want to use. Again, we feel like 30 minutes is a good amount of time.
net accounts /lockoutwindow:30
When you’re done, you can use the net accounts command again to review your settings. They should look something like the settings below, depending on what you chose.
Now you’re all set. Your account will automatically prevent people from logging in if the password is entered incorrectly too many times. If you ever want to change or remove the settings, just repeat the steps with the new options you want.
And here’s how it works in practice. The sign in screen gives no indication that a lockout threshold is in place or how many attempts you have. Everything will appear as it always does until you enter enough failed password attempts to meet the threshold. At that point, you’ll be given the following message. And again, there is no indication about how long the account is locked out.
If you want to turn the setting off, all you have to do is go back into an administrative command prompt and set the account threshold to 0 using the following command.
net accounts /lockoutthreshold:0
You don’t need to worry about the other two settings. When you set the lockout threshold to 0, the lockout duration and lockout window settings become inapplicable.
Pro and Enterprise Users: Set a Sign In Limit with Local Group Policy Editor
If you’re using a Pro or Enterprise edition, the easiest way to set a sign in limit is with the Local Group Policy Editor. An important note, though: if your PC is part of a company network, it’s very likely that group policy settings governing the sign in limit are already set at the domain level and will supersede anything you set in local group policy. And if you are part of a company network, you should always check with your admin before making changes like this, anyway.
Group policy is a powerful tool. If you haven’t used it before, we suggest learning a little more about what it can do before you get started. Also, if you want to apply a policy to only specific users on a PC, you’ll need to perform a few extra steps to get things set up.
To open Local Group Policy Editor, hit Start, type “gpedit.msc,” and then click the result. Alternatively, if you want to apply the policy to specific users or groups, open the MSC file you created for those users.
In Local Group Policy Editor, on the left-hand side, drill down to Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy. On the right-hand side, double-click the “Account lockout threshold” setting.
In the setting’s properties window, note that by default, it’s set “0 invalid logon attempts,” which effectively means that the setting is turned off. To change this, just select a new number greater than one. We recommend setting this to at least three to help ensure you don’t get locked out of your own system when you accidentally type the wrong password yourself. Click “OK” when you’re done.
Windows now automatically configures the two related settings to thirty minutes. “Account lockout duration” controls how long the PC is locked against further sign in attempts when the account lockout threshold you set is met. “Reset account lockout counter after” controls how much time must pass after the last failed password attempt before the threshold counter is reset. For example, say you enter an invalid password and then enter another invalid password right away, but you do not try a third time. Thirty minutes after that second attempt (at least, going by the settings we’ve used here), the counter would reset and you could have another three tries.
You can’t change these values here, so just go ahead and click the “OK” button.
Back in the main Local Group Policy Editor window, you’ll see that all three settings in the “Account Lockout Policy” folder have changed to reflect the new configuration. You can change any of the settings by double-clicking them to open their properties windows, but honestly thirty minutes is a pretty solid setting for both lockout duration and resetting the lockout counter.
Once you’ve settled on the settings you want to use, close Local Group Policy Editor. The settings take place immediately, but since they affect sign in, you’ll have to sign out and back in to see the policy in effect. And if you want to turn the whole thing off again, just go back in and change the “Account lockout threshold” setting back to 0.