Locking out an account is a great way to stop brute force attacks. Not every site will do this though.

The majority of attacks will come from people getting hold of a database leaked from a website with your password in it, and then trying your username and password on that website but also many other popular websites.

The good news is that a good website will hash your password, so you can’t just read it from the database. However if the attacker has the database they can use a brute force attack to decode those hashes.

Always use a secure password (20 random characters, or 3 words).
Never reuse passwords between websites.