A very good point, though I would encourage something closer to 25 or 100 login attempts. Don't punish clumsy users for having a secure password, but prevent brute-forces by all means.
Second attempt: quick typing, wrong password again.
Third attempt: okay, I'll type it in carefully now. Wrong password.
Fourth attempt: oh, yes, that was my Yahoo! password. Remembers password and enters it cautiously, because he/she knows that he has a maximum of 5 login attempts.
Five are enough for me. Or at most 10. 100 seem ridiculous. How often does it happen that you mistype your password 99 times and get it right on the one-hundredth, before you're tired of being shown the "wrong password" message and click the "forgot password" link?
I'm only suggesting an implementation that is transparent for the user. 10 would probably be just fine, but 25 would be closer to an impossible situation without significantly increasing the odds of a successful attack.
