Be it 1 or 5 mins you do get more tries on most systems.

What they really do is go after systems that dont lock it it. They then make a list of common passwords used by an email address and then start trying them on other sites.

So your forum you go to read about puppies does not lock it out, they get the password for that site. Then they start trying it on say wells fargo and citi bank etc. They dont need to know if you have a wells fargo account they just try it and every other bank. Most people who are not computer savy will have a few passwords they use a lot of places. Or variations of those passwords, like a place that requires 6 things and another place requires 8, a lot of people do things like add 12 to the 6 digit to get 8.

I am some what guilty of this, but use better variations.

Brute force attacks where they just randomly try passwords are a lot less common. Usually they send out a phishing email that looks legit, someone enters their password, and boom, they can get it. People want to be trusting, so they don't think twice about it. I work in the industry and I'd say about 80% of all ransomware attacks start with someone basically giving them their password.

I keep them in a file on a computer never connected to the internet, some (where I might have paper account files in a filing cabinet) on a piece of paper.

DU's I have memorized