# Set a Failed Login Attempt Lockout Policy

You can specify the number of times a user can enter an incorrect password before they are locked out of the system. When a user reaches this limit, their account is locked for the specified number of seconds.

This feature can be enabled per user or per role, in which case every user belonging to that role will be subject to failed login attempt lockout.

## Enable the Lockout Policy

To enable the lockout policy:

Set *both* `FAILED_LOGIN_ATTEMPTS` and `PASSWORD_LOCK_TIME` for the user or role. `FAILED_LOGIN_ATTEMPTS` is the number of failed attempts before the account is locked, for example: `4`. `PASSWORD_LOCK_TIME` is the number of seconds a locked out account must wait before reattempting to log in.

> **📝 Note**: You must set both `FAILED_LOGIN_ATTEMPTS` and `PASSWORD_LOCK_TIME` to enable the feature.

Enable the lockout feature at 4 failed attempts, with a lockout time of 4 hours (14400 seconds) when creating a user:

```sql
CREATE USER user1 WITH FAILED_LOGIN_ATTEMPTS = 4 PASSWORD_LOCK_TIME = 14400;

```

Enabling the feature for a role:

```sql
CREATE ROLE general WITH FAILED_LOGIN_ATTEMPTS = 4 PASSWORD_LOCK_TIME = 14400;

```

If a user is associated with more than one role with different password lock times, the larger `PASSWORD_LOCK_TIME` value is applied.

If a user and a role the user is tied to have conflicting `FAILED_LOGIN_ATTEMPTS` settings, the lower value is applied.

## Update Lockout Settings

If the `PASSWORD_LOCK_TIME` value is updated for a role or user, the new setting applies to currently locked accounts. For example, if a locked out user’s lockout time setting is 1 day, and `PASSWORD_LOCK_TIME` is then set to 4 hours, the new limit is enforced and the account will be unlocked 4 hours after it was locked. If a user’s lockout time setting is 4 hours, and the setting is increased to 1 day, the user will remain locked out for 1 day.

If the `FAILED_LOGIN_ATTEMPTS` setting for a locked out user is updated to be higher than the current setting, the user is unlocked. If the new setting is lower than the current number of failed login attempts, and also higher than the user’s current number of failed login attempts, the new setting is ignored until the user successfully logs in. The user is still subject to the original `FAILED_LOGIN_ATTEMPTS` setting.

## Unlock a Locked Account

To unlock a locked account:

Use the `ALTER USER` command and specify `ACCOUNT UNLOCK`.

```sql
ALTER USER user ACCOUNT UNLOCK;

```

If [sync permissions](https://docs.singlestore.com/db/v9.1/security/administration/synchronizing-permissions-across-your-cluster.md) is not enabled, `ACCOUNT UNLOCK` should be issued on the aggregator where the user is to be unlocked.

If `sync_permissions` is enabled, `ACCOUNT UNLOCK` should be issued on the Master Aggregator since all user modifications will have to come from the Master. This will unlock the account across the cluster.

***

Modified at: April 3, 2023

Source: [/db/v9.1/security/configure-singlestore-user-accounts/set-a-failed-login-attempt-lockout-policy/](https://docs.singlestore.com/db/v9.1/security/configure-singlestore-user-accounts/set-a-failed-login-attempt-lockout-policy/)

(An index of the documentation is available at /llms.txt)