i am looking into account lockout best practice configurations for failed login attempts/brute force. for one of our web applications the administrator has configured locking an account after 10 failed login attempts in a 60 second window. This seems a rather unusual setting based on other recommendations I have read on account lockout. Does anyone have a view if this setting poses a risk in anyway, or if any password attack tools can be configured to work around this setting e.g. a slower approach on how many it attempts each minute, and if so a more suitable suggestion of values?