Consider the following factors when you specify the number of failed logon attempts to allow before locking out the user:
If you allow a greater number of failed attempts, you increase exposure to unauthorized access by means of sophisticated, repetitive logon methods.
Users make keyboard mistakes and forget passwords. If you allow too few failed logons, you may increase the number of legitimate user calls to the security administrator requesting password lock release.
If your security policy allows shorter passwords, you can set the allowable number of failed logons lower. If your security policy requires longer passwords, you should set the allowable number of failed logons higher.
If your database contains valuable or sensitive data, you may justify allowing fewer logon failures (for example, 2, or in extreme cases, 1). For less sensitive data, you may choose to allow more attempts (for example, 3 or 4, or no lockout at all).