---
title: Configuring password spraying prevention
description: Configure how password spraying prevention functions within your PingFederate environment to customize your login security experience.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_config_password_spray_prevent
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_config_password_spray_prevent.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  steps: Steps
---

# Configuring password spraying prevention

Configure how password spraying prevention functions within your PingFederate environment to customize your login security experience.

## Steps

1. Edit the `com.pingidentity.common.security.AccountLockingService.xml` file, located in the `<pf_install>/pingfederate/server/default/data/config-store` directory.

   For more information, see the inline comments and the following table.

   | Property              | Description                                                                                                                                                                                                  |
   | --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
   | DoPasswordLocking     | Enable (`true`) or disable (`false`) password spraying prevention.The default value is `false`.                                                                                                              |
   | MaxPasswordAttempts   | The maximum number of failed attempts before a password is locked out for a time period.Applicable only if password spraying prevention is enabled.The default value is `5`.                                 |
   | PasswordLockoutPeriod | The amount of time in minutes that a password is locked out when the `MaxPasswordAttempts` threshold is reached.Applicable only if password spraying prevention is enabled.The default value is `5` minutes. |

   If you have a PingFederate clustered environment, edit this file on the console node.

2. Save the change.

3. Restart PingFederate.

4. If you have a PingFederate clustered environment, click **Replicate Configuration** on **System > Server > Cluster Management**.