There is no point in imposing a limit to the number of password attempts as the user can simply close the page, reopen it and start again.
And be aware that anyone can see the correct password with View Source.
But to make your code work you need to use a for loop.
All the code given in this post has been tested and is intended to address the question asked.
Unless stated otherwise it is not just a demonstration.