The lockout policy determines what happens when a user incorrectly types in their password and can help to protect against any phishing attempts to access data.
The first setting is how the CAPTCHA is triggered, based on number of failed passwords. This means that after the user enters the incorrect password so many times, on the next attempt they will also have to complete the CAPTCHA, which is a challenge–response test used to determine whether or not the user is human, typically asking them to identify specific items or landmarks in a selection of images.
As well as setting the number of attempts before invoking the CAPTCHA, you can also determine the period in which it applies. If the period is set to 30mins (which is the default), the CAPTCHA will show every time the user attempts to log in within that 30 minutes period, with the clock starting from when the first CAPTCHA was displayed. If the attempts occur outside of this defined window, the count resets and starts from 0, i.e. if you don't try to log in for an hour, the CAPTCHA will not show.