>This becomes especially bad if your passwords aren't very strong (ran into a number of older systems that used 3-digit password).

3 ***digits*** is really bad, but considering old technology (think VT100 before you had to be afraid of smart devices) 3 char pwd were better than current things
mobile phone: 10**4
TTY : 62**3 with just cased letters and digit chars, even more with special chars easy to reach via keyboard

pwd entry was blocked after 5 false entries - safe enough, as walking up to admin to request a new one was greeted with proper BOFH attitude ;-)