By default, the number password retry attempts is set to three, allowing the administrator a maximum of three attempts at logging in to their account before they are locked out for a set amount of time (by default, 60 seconds).
The number of attempts and the default wait time before the administrator can try to enter a password again can be configured using the CLI.
A maximum of ten retry attempts can be configured, and the lockout period can be 1 to 2147483647 seconds (over 68 years). The higher the retry attempts, the higher the risk that someone might be able to guess the password.
To configure the lockout options:
config system global set admin-lockout-threshold <failed_attempts> set admin-lockout-duration <seconds> end
To set the number of retry attempts to 1, and the lockout time to 5 minutes, enter the following commands:
config system global set admin-lockout-threshold 1 set admin-lockout-duration 300 end
If the time span between the first failed log in attempt and the lockout threshold failed attempt is less than lockout time, the lockout will be triggered.