From ee4424fa3a6c623a21c6993d3e5bb7dc4f0e6409 Mon Sep 17 00:00:00 2001
From: Sarah Chavis <62406755+schavis@users.noreply.github.com>
Date: Tue, 11 Jul 2023 06:16:15 -0700
Subject: [PATCH] Add note about user lockout defaults (#21744)

---
 CHANGELOG.md                                        |  1 +
 .../content/docs/upgrading/upgrade-to-1.13.x.mdx    | 13 +++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b64418cc39..394d75e43f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -449,6 +449,7 @@ Plugins using sdk/useragent.String must instead use sdk/useragent.PluginString.
 
 FEATURES:
 
+* **User lockout**: Ignore repeated bad credentials from the same user for a configured period of time. Enabled by default.
 * **Azure Auth Managed Identities**: Allow any Azure resource that supports managed identities to authenticate with Vault [[GH-19077](https://github.com/hashicorp/vault/pull/19077)]
 * **Azure Auth Rotate Root**: Add support for rotate root in Azure Auth engine [[GH-19077](https://github.com/hashicorp/vault/pull/19077)]
 * **Event System (Alpha)**: Vault has a new opt-in experimental event system. Not yet suitable for production use. Events are currently only generated on writes to the KV secrets engine, but external plugins can also be updated to start generating events. [[GH-19194](https://github.com/hashicorp/vault/pull/19194)]
diff --git a/website/content/docs/upgrading/upgrade-to-1.13.x.mdx b/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
index 587589bd13..db39903648 100644
--- a/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.13.x.mdx
@@ -15,6 +15,19 @@ for Vault 1.13.x compared to 1.12. Please read it carefully.
 
 @include 'consul-dataplane-upgrade-note.mdx'
 
+### User lockout
+
+As of version 1.13, Vault will stop trying to validate user credentials if the
+user submits multiple invalid credentials in quick succession. During lockout,
+Vault ignores requests from the barred user rather than responding with a 
+permission denied error.
+
+User lockout is enabled by default with a lockout threshold of 5 attempt, a
+lockout duration of 15 minutes, and a counter reset window of 15 minutes.
+
+For more information, refer to the [User lockout](/vault/docs/concepts/user-lockout)
+overview.
+
 ### Active directory secrets engine deprecation
 
 The Active Directory (AD) secrets engine has been deprecated as of the Vault 1.13 release.