Security > Users > Account Lockout Settings
  
Account Lockout Settings
An administrator can configure account lockout settings by navigating to System > Subsystems > User Management > Configuration.
Maximum Login Attempts—number of log in attempts a user is allowed within the time specified in Minutes to Attempt Login before lockout. By default, this is set to 5 attempts.
Minutes to Attempt Login—amount of time a user has to attempt the maximum log in attempts specified before lockout. By default, this is set to 5 minutes.
Minutes Locked Out—amount of time a user is locked out. By default, this is set to 15 minutes. For example, if a user attempts five unsuccessful logins within five minutes, their account is locked out for 15 minutes. After 15 minutes, the user has another five attempts.
* 
If Minutes Locked Out is set to 0, the user account is not automatically unlocked and an administrator must manually unlock the account.