Change the preferred credential if you have changed your password on the target db.
Or let the dba create a new profile for your account (and other OEM users) with less strict settings on all target db's.
that later suggestion violates the new policy so that's not happening.
the point about it all is that you don't have a change to change the preferred credential before your account is locked out.
the whole problem seems to be that OEM assumes no DBA would be stupid enough to setup your account to automatically lock on 3 failed attempts.
But for whatever reason when OEM tries the old preferred credential it eventually locks your account meaning that it's tried to use those old credentials
more than once already before you get to even login when prompted for your new credentials.
If preferred credentials are specified, OEM uses those credentials and checks if the login can be performed with those credentials. But, if the saved preferred credentials are different from what the database is configured, we will run into the max_failed_attempts usecase.
The same preferred credentials will be used by background jobs and so if the password is changed on the database without updating the preferred credentials, the account could be locked out quickly if there are any background jobs.
Also, OEM provides command line scripts (emcli update_db_password) that can be used to update the password in the database as well as update the preferred credentials with the same password, which is the recommeded way to change password when they are used in preferred credentials.