Regular brute force attacks against an online login forms are rare.

What usually happens:

1. A bunch of sites get hacked and have the user database stolen. This contains hashes of passwords. You can’t decrypt them, but you can check passwords against them (“offline”, on the computer of the attacker, very fast and with no limit).

2. Someone bruteforces many of these passwords.

3. That person, or someone else who got the bruteforced list, now tries those passwords on other sites. Usually they already know that someone with username ‘foo’ used ‘password123’ on site 1, ‘badpassword’ on site 2, etc. – so they will try these on other sites trying the same user name. They don’t need many attempts per user, and the limit is usually quite high and usually resets after some time and/or after the attacker gets a new IP (otherwise each failed attack or just a series of typos like when you forget to turn off caps lock would lock the legitimate user out), and definitely resets after the user successfully logs in.

Hard retry limits are rare for the reason stated above. Some banks etc. use these; those users are usually attacked with phishing attacks instead.

Because online brute force attacks are so rare, you don’t need a super strong password – it’s more important that it is unique. Use password managers. Use 2FA as a second layer of security where it matters.