A lot of systems are using the logic of locking user account if the user has entered wrong password X times. Each time a wrong password is entered the failed login attempts count increased and when that number reaches X the account is locked. If the user enters the valid password the counter is reset to zero.
But most of the time when the genuine user enters wrong password it's because they simply forget they had changed the password and still trying to use an old one.
Better approach to the lockout logic would be to not increase the wrong login attempts counter if the password was used in the past. There's no drawback in security, because all the information that a malicious person can get is that the password was used in the past, but if it's a wrong assumption the account will be locked.
