Minor problem:
So, if you type in the wrong password 3 times, you're locked out, right? Well what if you're really close? I don't think that should count as one of your 3 chances - because you're probably not a hacker trying to brute-force your way in. I think there should be more lenience for close guesses.
My solution:
Have a higher threshold for number of incorrect guesses allowed. Say, 10. If your first 3 guesses are way off, you're locked out. But if you're pretty close, you can get up to 10 chances.
You may say, but wait, a bot might be able to see that it's guessing close because it got more than 3 chances, so it can narrow its search that much more.
To that, I would say, "Yes, that's a good point." To counter this, have two different "Locked Out" attributes for a user. One that is "Locked Out" and the other that is "Report Locked Out."
If 3 wild guesses are made, "Locked Out" is set. But "Report Locked Out" is not set until there are 10 incorrect guesses - regardless of how wild they are.
The response to the user is keyed off of the "Report Locked Out" field. If it is set, return "You're locked out" to the user, otherwise return "Login Unsuccessful" - or whatever you are saying for an incorrect password.
Now the only thing left is somehow to define what a "close" guess is.
