What is a typical recommended lockout policy for failed login attempts?

Lockout policies aim to stop attackers from guessing passwords while keeping legitimate users from getting locked out unnecessarily. A typical approach is to allow several consecutive failed attempts—around five to ten—before enforcing a temporary lockout or introducing progressive delays that grow with each failure. This strikes a balance: it dramatically slows brute-force attempts and reduces risk, yet avoids instantly denying access for a user who mistyped a password. Providing a self-service unlock option or admin assistance helps legitimate users regain access without heavy IT overhead, and monitoring for brute-force patterns lets you detect and respond to suspicious activity. Locking after a single failure is too harsh for everyday use, and no lockout leaves accounts exposed to rapid guessing; a permanent lock after many failures is impractical and can trap valid users.