After the number of bad authentication attempts has been exceeded the authentication is disabled for the given username. Any subsequent valid authentication attempts are unsuccessful.

However, there is inconsistent behavior for SASL vs HTTP when attempting to authenticate with good password while authentication is disabled:

• For SASL, the lockout timeout is prolonged with such attempts ("Disabling authentication for ..." is logged).
• for HTTP the lockout timeout is driven by the last unsuccessful authentication attempt ("Disabling authentication for ..." is not logged in this case).