If a user forgets their Open edX password and is unsuccessful in logging in, they will get locked out of their account.
System Defaults
- The default for maximum failed password attempts is 6.
- The default duration to wait once you’ve been locked out is 30 minutes.
- Attempts to login, while the lockout is active, will have no effect on the login count or lockout duration, and will display a lockout message to the user
- Any incorrect attempts after the timeout expires will add another 30 minutes of lockout.
This duration is purposely not displayed to the user, because a hacker using brute force password attempts could then write a script to wait 15 minutes, and then try another series of brute force attacks.
Support Options
- Verify user email address and URL they are trying to access
- Tell them to wait 30 minutes and to try again IF they can find or remember their password
- If not, tell them to use the “Forgot password?” link in the login page, after the 30 minutes wait.