which suggests that "three strikes and you're out" at least puts some sort of damper on a hacker's ability to crack a password.
That only works if there is an "authentication authority" - a secure agent that is able to (1) verify the correct password has been provided, (2) provide the client with increased privileges to some resource provider as a result, and (3) is able to record and update information on the client's profile
If I dump your password file to a flash drive and take it home to my cluster, the security agent is completely out of the picture, specifically for (3). I can try as many password attempts I want to because the agent cannot count them and record my failures or delay password validation responses if I am obviously guessing.
That is why it's a problem when password lists are stolen, even when the passwords are hashed.
