Here’s a scenario that no doubt sounds familiar. You type in a password to get into one of your accounts. The first two times, you type in the wrong password. Then you remember the right one. But your finger slips as you type it.

You’re locked out.

The “three times lockout” rule is almost universally applied. It’s also almost universally reviled….

Here’s a scenario that no doubt sounds familiar. You type in a password to get into one of your accounts. The first two times, you type in the wrong password. Then you remember the right one. But your finger slips as you type it.

You’re locked out.

The “three times lockout” rule is almost universally applied. It’s also almost universally reviled. And to make things even more annoying: No one really knows why three is the magic number.

Three tries was probably initially considered the right number to allow for some forgetfulness, but not make it too easy for hackers to guess. But there is no empirical evidence that three tries is the sweet spot. It is possible that the number should not be three, but rather five, seven or even 10, as was suggested in 2003.

The problem is that it’s hard to gather evidence to test the lockout threshold. If you put yourself in the shoes of a system administrator, think about how it would look if you increased the number of permitted tries, and the system then gets compromised. The system administrator would be held accountable. So, the safest option is to stick with what everyone else does: Three tries and you’re out.

There is also the issue of inertia. There are all sorts of legacy protocols when it comes to security. There is, for instance, the dated definition of a “complex” password. Similarly, having enforced expiration dates for passwords was widely considered a best practice until various bodies (including the U.S. Commerce Department’s National Institute of Standards and Technology) released advice in 2017 pointing out that this was actually counterproductive.

The three times lockout rule is another of these legacy practices.

So, how do we test whether the lockout rule makes sense, since a real-world experiment is so difficult? We use a simulation. Simulations allow us to test the impact of different settings, while recording all outcomes, both good (risk reduction) and bad (risk increase). The best part is that there is no risk to any real-life system.

I developed a simulator called SimPass. It modeled password-related behaviors of virtual “agents” with human propensities, using well-established forgetting statistics to model predictable password choices, forgetting, reuse and sharing. Some malicious “agents” would attempt to breach accounts.

I worked with my colleague

Rosanne English
to test different lockout settings. We ran 500 simulations for each of three, five, seven, nine, 11 and 13 tries before lockout. What we found was that five was actually the optimal number—the sweet spot we were hoping to identify. When allowing five attempts, the number of lockouts were minimized, with no adverse effect on security.

I’m not hopeful that the lockout number will change overnight. Legacy protocols have a lot of staying power. But as we are forced to remember more passwords for an increasing number of accounts, perhaps our collective annoyance will be heard.

Dr. Renaud is a chancellor’s fellow at the University of Strathclyde in Glasgow. She can be reached at reports@wsj.com.