Sitecore 8.2 changed maxInvalidPasswordAttempts from 256 to 5

I noticed that some of my users got locked out of my solution after I upgraded from Sitecore 8.0 to Sitecore 9.0.

That’s because Sitecore have decided to change the default value of the membership maxInvalidPasswordAttempts property from 256 attempts to 5 attempts.

The change is effective from Sitecore 8.2 and is the new default value onwards.

The old settings:

<membership defaultProvider="sitecore" hashAlgorithmType="SHA1">
    <add name="sql" ... maxInvalidPasswordAttempts="256" />

The new settings:

<membership defaultProvider="sitecore" hashAlgorithmType="SHA1">
    <add name="sql" ... maxInvalidPasswordAttempts="5" />



About briancaos

Developer at Pentia A/S since 2003. Have developed Web Applications using Sitecore Since Sitecore 4.1.
This entry was posted in Sitecore 8, Sitecore 9 and tagged , . Bookmark the permalink.

2 Responses to Sitecore 8.2 changed maxInvalidPasswordAttempts from 256 to 5

  1. Jan Bluemink says:

    Also take a look at password hashing algorithm, SHA1 is to easy today.

  2. Andy Burns says:

    Yup, changing it to SHA512 is part of the security hardening guide. I don’t know why it’s not built in. When you do change it, you might need to run a bit of SQL to reset your admin password.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.