@nixCraft as someone noted: 3 wrong attempts and you lost.
This reminds me of a sysadmin who asks users to set long email passwords in order to avoid brute force attacks. Wondering whether his server is configured to ban after failing attempts.