It should be that it rejects the password the first time it’s entered correctly but accepts it on every subsequent try. That actually would provide some protection against like dictionary attacks and raw brute force attacks.