This is supposed to prevent attackers from getting connection data by guessing the password.
Each failed attempt increases the counter.
XmppClient on the server side checks for the users with 3 failed attempts and blocks them even before checking the password.