What is the maximum number of invalid login attempts after which a user ID should be locked out?

• A. Locked out after seven invalid logon attempts.
• B. No lockout policy.
• C. Locked out after not more than six invalid logon attempts.
• D. Locked out after ten invalid logon attempts.

Answer: (C)

Locking an account after a small, defined number of consecutive failed logins is a standard defense against brute-force attacks. This approach stops attackers quickly by limiting how many guesses can be made in a row, while still allowing legitimate users to recover access through proper verification or administrator unlock. The policy that enforces a lockout after a low, fixed number of invalid attempts embodies this balance—protecting accounts without letting attackers have unlimited tries. Policies with no lockout are too lax and expose credentials to endless guessing, and policies that wait for many more attempts give attackers more opportunities to succeed.