Comment by tinus_hn

That’s account lockouts, it doesn’t work against bots because they can just try a million accounts instead of a million passwords on one account and it makes it super easy to do a denial of service on an account, and it doesn’t prevent a denial of service against the server that has to service all these login attempts that might very well involve running hashes designed to be computationally intensive, like PBKDF2.

This is not a novel measure, rest assured that the people that choose to implement captcha instead are aware of its existence and chose for the captcha instead.