I've never cared for this particular control-- some view "maximum attempts" to be a good security measure, but I view it as an easy way to target a DoS attack (violation of "availability" in the Security Triad). (Edit: in conjunction w/ IP heuristics, maybe not so much... but then again, it's easy to change an IP.)