Two configuration settings control when an account gets locked out: maxInvalidPasswordAttempts, passwordAttemptWindow
Enter a maximum of three bad passwords or bad password answers in one hour.
File: Web.Config
name="MyProvider"
type="System.Web.Security.SqlMembershipProvider"
maxInvalidPasswordAttempts="3"
passwordAttemptWindow="60"
connectionStringName="LocalSqlServer"/>