The brute force costs real money (computing power), and whether it is profitable is a simple calculation between costs and benefits.
To make a brute force attack less rewarding, we have limited the number of login attempts. And after a certain number, the user will be locked for a certain time.
