Typically, a policy is formulated as follows:
This type of policy commonly prevents brute force password guessing attacks against user profiles on web sites, Active Directory domains and other systems.
There is some variety in how intruder lockouts are implemented by different systems and applications:
Users who have triggered an intruder lockout can sign into Hitachi ID Password Manager with other types of credentials, such as a hardware token or by answering personal questions and can then clear the intruder lockout on their own account.
It should be noted that Hitachi ID Identity and Access Management Suite differentiates between different types of "locks," and Password Manager only allows users to clear intruder lockouts:
It should also be noted that not all target system types support all of the above mechanisms and some target types actually entangle them. For example, "administratively disabled" and "intruder lockout" are represented by the same flag on most mainframe systems.
In cases where the states are entangled on a target system, Password Manager will either not allow users to clear the flag or, where possible, expose a plug-in point where customers can insert business logic to differentiate between different meanings of the same flag.