diff --git a/source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java b/source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java
index 996e91a974..d943ccc833 100644
--- a/source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java
+++ b/source/java/org/alfresco/repo/security/authentication/AuthenticationServiceImpl.java
@@ -432,7 +432,7 @@ public class AuthenticationServiceImpl extends AbstractAuthenticationService imp
         {
             this.numLogins+=1;
             this.timeStamp = System.currentTimeMillis();
-            if (numLogins == protectionLimit && logger.isWarnEnabled())
+            if (numLogins == protectionLimit + 1 && logger.isWarnEnabled())
             {
                 // Shows only first 2 symbols of the username and masks all other character with '*'
                 logger.warn("Brute force attack was detected for user " +
diff --git a/source/test-java/org/alfresco/repo/security/authentication/AuthenticationServiceImplTest.java b/source/test-java/org/alfresco/repo/security/authentication/AuthenticationServiceImplTest.java
index 601b22d5b8..158a8ddeee 100644
--- a/source/test-java/org/alfresco/repo/security/authentication/AuthenticationServiceImplTest.java
+++ b/source/test-java/org/alfresco/repo/security/authentication/AuthenticationServiceImplTest.java
@@ -156,6 +156,32 @@ public class AuthenticationServiceImplTest
                 cache.get(USERNAME));
     }
 
+    @Test
+    public void testProtectionDisabledBadPassword()
+    {
+        int attempts = 5;
+        authService.setProtectionPeriodSeconds(99999);
+        authService.setProtectionLimit(attempts - 2);
+        authService.setProtectionEnabled(false);
+
+        Exception spoofedAE = new AuthenticationException("Bad password");
+        doThrow(spoofedAE).when(authenticationComponent).authenticate(USERNAME, PASSWORD);
+        for (int i = 0; i < attempts; i++)
+        {
+            try
+            {
+                authService.authenticate(USERNAME, PASSWORD);
+                fail("The " + AuthenticationException.class.getName() + " should have been thrown.");
+            }
+            catch (AuthenticationException ae)
+            {
+                assertTrue("Expected failure from AuthenticationComponent", ae == spoofedAE);
+            }
+        }
+        verify(authenticationComponent, times(attempts)).authenticate(USERNAME, PASSWORD);
+        assertNull("The user should not be in the cache.", cache.get(USERNAME));
+    }
+
     private class MockCache<K extends Serializable, V> implements SimpleCache<K,V>
     {
         private Map<K,V> internalCache;