As per the password policy, should sterling behave as following :
Lock out user if 5 incorrect Passwords at one time and setting should be that Once the user gets back into the website, the count should
reset to 0..
Yes sterling password policy work like this only.
For example : The design is such that if an user attempts 4 times and correctly logs in at the 5th time in the specified cycle (say 10 min), the user will have only 1 attempt in the current cycle. It is not the next cycle.
User will be locked out if the 5 attempts are over in the CheckIntervalMinutes(10 min) window of the cycle. Then the next cycle of 10 min starts where again the user has 5 attempts. Login attempts that are made within the Defined Timeframe will be considered when comparing against the maximum allowed defined.