It’s an anti-hacker mechanism.

If the computer rejected the password the instant it knew it was wrong, that’s just more time a hacker could spend guessing passwords trying to get in. Forcing them to wait punishes this tactic.

It’s also possible for a hacker to use a very precise timer to check how long the computer takes to reject a wrong password, and use that information to tell how much of the password they guessed was correct, helping them zero in on better guesses faster than guessing at random. By forcing all incorrect tries to wait for the same (or a random) amount of time, you safeguard yourself against this kind of exploit.

Its by design so that some kind of automatic system cant spam passwords to try to brute force it.

Are you talking about a website or an OS login?