Limited password entry attempts - Kosudo/nextSIS GitHub Wiki

As an anti-hacking measure, the user is allowed five attempts to correctly enter their password, after which their account is locked for an hour (this is the same system Drupal uses).

The locking of an account triggers a suspicious activity alert.