Originally Posted by Philip M
There is no point in imposing a limit to the number of password attempts as the user can simply close the page, reopen it and start again.
Not if it's done properly server side. I think you'll find most if not all online banks will lock out users after 3 failed login attempts after which you have to physically contact the bank and jump through several hoops to prove you are who you say you are before they will re-activate your online access to your accounts. (The 2 banks I bank with both do)