I received an email from Cineplex telling me my account was locked after three unsuccessful login attempts. Not because I did anything wrong. Not because anyone actually got in. But because someone tried and failed.
And now I have to reset my password.
Here is why this is a bad security practice.
It punishes the user for nothing.
If someone else mistypes my email or tries a random password, I should not be the one doing extra work. A simple notification would be enough.
A failed login means the password is working.
Three failed attempts usually indicate the account is safe. The system did its job. Forcing a reset suggests the opposite of what actually happened.
It goes against normal security standards.
Most services simply notify you and rate limit suspicious attempts. They do not lock the owner out. They only force a reset if there is evidence of compromise.
It encourages weak habits.
Frequent resets push people toward simpler passwords, repeated passwords or unsafe storage. This lowers security instead of improving it.
It does nothing to stop real attackers.
Serious attackers do not stop at three tries. They use bots, distributed IPs and automation. A forced reset after three human attempts is security theatre, not protection.
Cineplex means well, but this policy creates inconvenience, teaches bad habits and misunderstands the actual threat. At minimum, users should be given the choice to reset or continue.
Someone failing to break into my account should not result in me being locked out.
