Secure sites often implement a password lockout period after too many failed login attempts. This is to discourage brute-forcing of passwords, where an attackers submits a lists of common passwords against known usernames.
