An
account lockout policy disables accounts after N failed login attempts — preventing brute-force and password-spraying.
Balance security vs. availability. Too aggressive = intentional lockout DoS. Typical: 5 attempts, 30-min lockout, reset counter after 30 min. Audit lockouts — high frequency indicates attack.