How to Temporarily Lock Your PC if Someone Tries to Guess Your Password

[Batu69]

 

If you’re worried about someone trying to guess your Windows password, you can have Windows temporarily block sign in attempts after a specific number of failed attempts.

 

Assuming you haven’t set Windows up to sign you in automatically, Windows allows an unlimited number of password attempts for local user accounts at the sign in screen. While it’s handy if you can’t remember your password, it also offers other people who have physical access to your PC an unlimited number of tries to get in.

 

While there are still ways people can bypass or reset a password, setting up your PC to temporarily suspend sign in attempts after several failed attempts can at least help prevent casual break-in attempts if you’re using a local user account. Here’s how to get it set up.

 

A couple of quick notes before you get started. Using this setting can let somebody prank you by incorrectly entering the password several times and thus locking you out of your PC for a time. It would be wise to have another administrator account that can unlock the regular account.

 

Also, these settings only apply to local user accounts, and will not work if you sign on to Windows 8 or 10 using a Microsoft account. If you want to use the lockout settings, you’d need to revert your Microsoft account to a local one first. If you prefer to keep using your Microsoft account, you can head to your security settings page and log in.

 

There, you’ll be able to change things like adding two-step verification, setting up trusted devices, and more. Unfortunately, there is no lockout setting for Microsoft accounts that works like the one we’re covering here for local accounts. However, these settings will work just fine for local user accounts in Windows 7, 8, and 10.

Home Users: Set a Sign In Limit with the Command Prompt

If you’re using a Home edition of Windows, you’ll need to use the Command Prompt to set a limit on sign in attempts. You can also set the limit this way if you’re using a Pro or Enterprise edition of Windows, but if you are using one of those editions you can do it much more easily using the Local Group Policy Editor (which we cover a bit later in this article).

 

Please note that you’ll need to complete all of the following instructions or you could end up locking yourself out completely.

To start, you’ll need to open the Command Prompt with administrative privileges. Right-click the Start menu (or hit Windows+X on your keyboard) to open the Power Users menu, then click “Command Prompt (Admin).”

 

 

At the prompt, type the following command and then hit Enter:

net accounts

This command lists your current password policy, which by default should be “Lockout threshold: Never,” which means that your account will not lock you out no matter how many times a password is entered incorrectly.

 

 

You’ll start by setting the lockout threshold to the number of failed sign in attempts you want to allow before sign in is temporarily locked. You can set the number to anything you like, but we recommend setting it to at least three. This way, you have room to accidentally type the wrong password a time or two before locking yourself out. Just type the following following command, substituting the number at the end with the number of failed password attempts you want to allow.

net accounts /lockoutthreshold:3

 

Now, you’re going to set a lockout duration. This number specifies how long, in minutes, an account will be locked out if the threshold for failed password attempts is reached. We recommend 30 minutes, but you can set whatever you like here.

net accounts /lockoutduration:30

 

And finally, you’re going to set a lockout window. This number specifies how long in minutes before the counter for failed password attempts is reset, assuming the actual lockout threshold is not reached. So, for example, say the lockout duration is 30 minutes and the lockout threshold is three attempts. You could could enter two bad passwords, wait 30 minutes after the last bad password attempt, and then have three more tries.  Set the lockout window using the following command, replacing the number at the end with the number of minutes you want to use. Again, we feel like 30 minutes is a good amount of time.

net accounts /lockoutwindow:30

 

When you’re done, you can use the net accounts command again to review your settings. They should look something like the settings below, depending on what you chose.

 

 

Now you’re all set.  Your account will automatically prevent people from logging in if the password is entered incorrectly too many times.  If you ever want to change or remove the settings, just repeat the steps with the new options you want.

 

And here’s how it works in practice. The sign in screen gives no indication that a lockout threshold is in place or how many attempts you have. Everything will appear as it always does until you enter enough failed password attempts to meet the threshold. At that point, you’ll be given the following message. And again, there is no indication about how long the account is locked out.

 

 

If you want to turn the setting off, all you have to do is go back into an administrative command prompt and set the account threshold to 0 using the following command.

net accounts /lockoutthreshold:0

You don’t need to worry about the other two settings. When you set the lockout threshold to 0, the lockout duration and lockout window settings become inapplicable.

Pro and Enterprise Users: Set a Sign In Limit with Local Group Policy Editor

If you’re using a Pro or Enterprise edition, the easiest way to set a sign in limit is with the Local Group Policy Editor. An important note, though: if your PC is part of a company network, it’s very likely that group policy settings governing the sign in limit are already set at the domain level and will supersede anything you set in local group policy. And if you are part of a company network, you should always check with your admin before making changes like this, anyway.

 

Group policy is a powerful tool. If you haven’t used it before, we suggest learning a little more about what it can do before you get started. Also, if you want to apply a policy to only specific users on a PC, you’ll need to perform a few extra steps to get things set up.

 

To open Local Group Policy Editor, hit Start, type “gpedit.msc,” and then click the result. Alternatively, if you want to apply the policy to specific users or groups, open the MSC file you created for those users.

 

 

In Local Group Policy Editor, on the left-hand side, drill down to Computer Configuration > Windows Settings > Security Settings > Account Policies > Account Lockout Policy. On the right-hand side, double-click the “Account lockout threshold” setting.

 

 

In the setting’s properties window, note that by default, it’s set “0 invalid logon attempts,” which effectively means that the setting is turned off. To change this, just select a new number greater than one. We recommend setting this to at least three to help ensure you don’t get locked out of your own system when you accidentally type the wrong password yourself. Click “OK” when you’re done.

 

 

Windows now automatically configures the two related settings to thirty minutes. “Account lockout duration” controls how long the PC is locked against further sign in attempts when the account lockout threshold you set is met. “Reset account lockout counter after” controls how much time must pass after the last failed password attempt before the threshold counter is reset. For example, say you enter an invalid password and then enter another invalid password right away, but you do not try a third time. Thirty minutes after that second attempt (at least, going by the settings we’ve used here), the counter would reset and you could have another three tries.

 

You can’t change these values here, so just go ahead and click the “OK” button.

 

 

Back in the main Local Group Policy Editor window, you’ll see that all three settings in the “Account Lockout Policy” folder have changed to reflect the new configuration. You can change any of the settings by double-clicking them to open their properties windows, but honestly thirty minutes is a pretty solid setting for both lockout duration and resetting the lockout counter.

 

 

Once you’ve settled on the settings you want to use, close Local Group Policy Editor. The settings take place immediately, but since they affect sign in, you’ll have to sign out and back in to see the policy in effect. And if you want to turn the whole thing off again, just go back in and change the “Account lockout threshold” setting back to 0.

 

Guide source

[straycat19]

If I have access to your PC you can do whatever you want but you can't keep me out.  There are backdoors and hacks in Windows that have been there in every version.  I posted that information a while back and so many people complained about the post, even though it is public knowledge, that  the admins took it down.  So don't think that doing any of this will prohibit someone with skill from getting into your PC, it only stops the script kiddies who have no skills but rely on the work of others to hack things.  Don't waste your time encrypting your entire drive, there isn't one encryption scheme that can't be accessed by a forensic investigator using the day code that is provided by all the encryption companies, and some of them are so weak, like Microsoft's, that you don't even need a code to break the encryption and access the drive.  Windows has never been the OS of choice for security with reason.  The most secure OS is still Linux, but as I have said many times before, anything a man invents/codes can be broken by another man, it just may take a little time.

[stylemessiah]

none of those methods will survive 30 seconds with a chntpwd ISO if you really need to login. Even quicker to boot to PE and access the file system. Almost no one encrypts their drive, but even that can be bypassed.  If you want data security, remove your drive and lock it in a safe.....

[Holmes]

You posted that information really I dont believe you and you say it got deleted by admins as a way to remove your responsibility to showing us proof.  You said your company has this and has that and make it seem like your work is hack proof yet no one elses computer is to you your so full of shit.

[Sylence]

4 hours ago, straycat19 said:

If I have access to your PC you can do whatever you want but you can't keep me out.  There are backdoors and hacks in Windows that have been there in every version.  I posted that information a while back and so many people complained about the post, even though it is public knowledge, that  the admins took it down.  So don't think that doing any of this will prohibit someone with skill from getting into your PC, it only stops the script kiddies who have no skills but rely on the work of others to hack things.  Don't waste your time encrypting your entire drive, there isn't one encryption scheme that can't be accessed by a forensic investigator using the day code that is provided by all the encryption companies, and some of them are so weak, like Microsoft's, that you don't even need a code to break the encryption and access the drive.  Windows has never been the OS of choice for security with reason.  The most secure OS is still Linux, but as I have said many times before, anything a man invents/codes can be broken by another man, it just may take a little time.

 

• does your methods still work on latest Windows 10?
• Linux is full of back doors as well, the fact that you're not aware of them doesn't make them disappear  
• this topic is about preventing unwanted logins, protecting files on hard disks is a totally different matter, regardless of OS. sometimes i doubt if you know what you say oO