Cards are way different. They combine something you have (the card) with something you know (the PIN). After three false attempts to enter the PIN you have to unlock the card going a different route. In such a scenario, 4 digits are fine.
You can't lock accounts only protected by a password and accessible by anyone (via internet) this way as this would invite for Denial-of-Service attacks (locking your account with three failed attempts).
I have had quite a few sites block my account for three bad password attempts and I had to actually call the company to unlock the account (this was always a financial services company).
It's quite annoying as none of the sites warned me about the impending account block after the first or second try. I guess it's an inconvenience that is worth it for the extra anti-brute-force security. Being locked out due to someone personally locking you out as you mentioned might also be annoying, but I honestly rather be locked out of my account and therefore alerted that someone is trying to gain access to my data than not.
Why these same sites limit my password to a specific number of characters and disallow special characters is beyond me though.
It's always annoyed me how people set the lockout after n attempts value to ~3 or 4. Why not 100? It makes almost no difference in your chances at brute forcing a password, but means that the real user trying all the passwords they might have used won't get locked out mid way.
If you type a wrong password in "su" on OpenBSD, the binary responds immediately telling me I'm wrong. On Linux, it does this stupid artificial 3 second penalty.
The Linux way sounds better, but the OpenBSD way is better. If you want people to use passwords, don't do petty nagging of them when they make a mistake.
On Linux when I mistype a password, I control-Z the "su" session and launch a new one instead of sitting around like a scolded schoolboy waiting for the binary to give me another chance.
> It makes almost no difference in your chances at brute forcing a password
Depends on how many people use a password in the top 100 most common vs. how many use one in the top 3. I would think it would be a sizeable difference.
> I have had quite a few sites block my account for three bad password attempts and I had to actually call the company to unlock the account (this was always a financial services company).
GoDaddy does this. It's the main reason I left them (before all the more recent shenanigans)
You can't lock accounts only protected by a password and accessible by anyone (via internet) this way as this would invite for Denial-of-Service attacks (locking your account with three failed attempts).