Setting the maximum number of login attempts allowed provides protection against “brute-force” or dictionary-based attempts to guess passwords. A System Security Officer can specify a maximum number of consecutive login attempts allowed, after which the login or role is automatically locked. The number of allowable failed login attempts can be set for the entire server or for individual logins and roles. Individual settings override the server-wide setting.
The number of failed logins is stored in the logincount column in master..syslogins. A successful login resets the number of failed logins to 0.
You can use the following commands or system procedures to set or change the maximum number of login attempts:
create role
alter role
sp_addlogin
sp_modifylogin
sp_configure