Comment by efitz

I’ve always said “lockout turns a possible password guessing attack into a guaranteed denial-of-service attack”.

Worse, it means that if an attacker can guess or otherwise obtain user names, the attacker needs nothing but network access to deny service to your users.

My favorite example is the iOS policy where it added more and more time before the next login attempt was allowed; small children kept locking their parents out of iPads and iPhones for weeks or months.