Authentication/UserManager/MaxFailedAccessAttemptsBeforeLockout is the site parameter you need to configure the maximum failed access attempts before locking out a portal users’ account.

By default this parameter value is 5, that means that after 5 failed attempts the user access is locked for 24 hours (this can be unlocked directly in the contact authentification).