Problem

We have created a password locking policy that allows only 3 failed authentication attempt for an account. How can we prove that the policy is indeed enforced?

Resolution

When the max number of allowed failed logins is reached, ST is to drop the connection and close the session. While this won't be visible with a browser, the policy in work can be demonstrated with the use of a FTP or SFTP command client client, which will show the disconnect. See example below (note the Login failed lines):

Name (localhost:root): testuser
331 Password required for testuser.
Password:
530 Login incorrect.
Login failed. --------------------> 1st failed attempt
ftp> user testuser
331 Password required for testuser.
Password: 
530 Login incorrect.
Login failed.--------------------> 2nd failed attempt
ftp> user testuser
331 Password required for testuser.
Password: 
530 Login incorrect.
Login failed.--------------------> 3rd failed attempt, connection is closed after this round
ftp> user testuser
421 Service not available, remote server has closed connection

As seen, after the third failed login, the server requires that the client establishes a new connection, in order to try to authenticate again.