Re: It only makes it easier to crack...
It does require the site to store failed login attempts though or at least flag accounts. Could not that be used in a site attack?
Only to get people's accounts locked out. My bank gives you a limit of 3 failed logins after which IIRC you have to visit a branch to reset the account. You may be able to do it via phone banking, but I believe it requires a branch visit. No, not going to test it!
Aside from getting people locked out, I can't see any attack vector from storing failed attempts?