diff --git a/docs/infrastructure_and_maintenance/security/security_checklist.md b/docs/infrastructure_and_maintenance/security/security_checklist.md
index 33ab09c465..f001b55f28 100644
--- a/docs/infrastructure_and_maintenance/security/security_checklist.md
+++ b/docs/infrastructure_and_maintenance/security/security_checklist.md
@@ -88,7 +88,24 @@ and any other application-specific secrets.
 
 ### Protect against brute force attacks
 
-Introduce a measure against brute force login attacks (captcha, etc.).
+Consider introducing a measure against brute force login attacks, like CAPTCHA. Adjust timeout limits to your needs:
+
+When using the "forgot password" feature, a token is created which expires if the user doesn't click the password reset
+link that gets mailed to them in time. The time before it expires is set in the parameter
+`ibexa.site_access.config.default.security.token_interval_spec`. By nature this feature must be available to users
+before they have logged in, including would-be attackers. If an attacker uses this feature with someone else's email
+address, the attacker does not receive the email. But they could still try to guess the password reset link. That's why
+this interval should be as short as possible. 5 minutes is often enough.
+
+Ibexa DXP allows you to create and send invitations to create an account in the frontend as a customer, the Back Office
+as an employee, or the Corporate Portal as a business partner. You can send invitations to individual users or in
+bulk. These invitations time out according to the parameter
+`ibexa.site_access.config.default.user_invitation.hash_expiration_time`. This can safely be longer than the "forgot password" time,
+since attackers cannot generate invitations. Don't leave it longer than it needs to be, though.
+
+These timeouts are both entered as [PHP DateInterval duration strings](https://www.php.net/manual/en/dateinterval.construct.php).
+The forgot password feature defaults to "PT1H" (one hour).
+The account invitation feature defaults to "P7D" (seven days).
 
 ### Disable Varnish when using Fastly