Two configuration settings control when an account gets locked out: maxInvalidPasswordAttempts, passwordAttemptWindow
Enter a maximum of three bad passwords or bad password answers in one hour.
File: Web.Config
<configuration>
<system.web>
<authentication mode="Forms" />
<membership defaultProvider="MyProvider">
<providers>
<add
name="MyProvider"
type="System.Web.Security.SqlMembershipProvider"
maxInvalidPasswordAttempts="3"
passwordAttemptWindow="60"
connectionStringName="LocalSqlServer"/>
</providers>
</membership>
</system.web>
</configuration>