The password policy engine provides a mechanism for enforcing rules for user passwords.
If you install a module that depends on users/groups, this feature will automatically be installed as well.
You can find this feature in the menu system at the following location:
System|Account Manager|Password Policies
Minimum Password Length
Specify the minimum allowable password length.
Minimum Password Age
The age before which the user cannot change the password.
Maximum Password Age
The age at which a password change is forced.
The number of different passwords you must have before you can repeat one.
If enabled, the account will be locked for 600s after 5 failed login attempts
These settings are held in ldap. If you wanted to change, for example, the lockout duration you would have to use a tool like phpLDAPAdmin and edit the object: