The security of computing resources and associated data is of high importance in many contexts. As an example, organizations often utilize networks of computing devices to provide a robust set of services to their users. In many situations, access to these services and other network resources requires that a user provide some type of credential, often a password, to authenticate the user's identity and obtain authorization for that access through a user account or other such information. Because passwords can be stolen, guessed, or otherwise obtained by unauthorized parties, organizations often require users to periodically change or “rotate” their passwords over time. Often users will change passwords even if such change is not required, in order to improve security and reduce the risk of someone obtaining the current password.
In various systems, a maximum number of incorrect password attempts will be allowed, after which access may be locked out for a least a period of time. This has the advantage that an automated process cannot keep trying different passwords until successfully determining the correct password and gaining access. A disadvantage to such an approach is that a user can get inadvertently locked out of certain access due to incorrect password entry. For example, a user might frequently enter the prior password right after a password change due to muscle memory or simply forgetting the new password. Similarly, users often enter passwords into software applications and computing devices, particularly mobile devices, that automatically check for updated information, and the failure of a user to quickly update all such password entries can result in access getting quickly locked out as devices automatically submit requests with the old password.