- Users are locked out of OpenMRS for 30 5 minutes after 7 incorrect password attempts.
- Number of attempts and last attempted time are stored as a user property. The Edit User administration page will allow you to edit the current user's properties. (Alternatively, you can clear the rows in the user_property table for that user. Since OpenMRS v1.10 the number of allowed failed login attempts can be set using the security.allowedFailedLoginsBeforeLockout global property found under Settings->Security section of the web application
- IP addresses are locked out after 10 username/password attempts.
- The number of attempts per IP are left in memory on the server in the LoginServlet. Restart OpenMRS to clear this variable.