A security mechanism is in place that only allows 5 invalid password attempts for a user name before that user account becomes locked out for 10 minutes. This mechanism has been put in place to protect against "Brute Force" attacks in which a robot attempts to guess 10,000 random passwords per second until it finds a correct password.
In versions 8.x.x there was a bug that did not correctly notify the user that their account had been locked out, and so many users would try over and over again to login. This has been resolved in versions 9.0.0 and higher.
If a user forgets their password they can always click on the "Forgot Password" link to have their password emailed to them. Additionally, the default of 5 invalid password attempts can be changed to 15 to help eliminate a users exposure to this security feature.