Ten Strikes

A number of web sites block logins after just three failed attempts. Every site wants a different login and password, so sometimes it can take more than three tries to remember which password to use. The paper "Ten strikes and you're out": Increasing the number of login attempts can improve password usability takes a step toward quantifying the costs this policy. They find that increasing the number of allowed attempts to 10 could potentially eliminate 47% of password reset requests.