I can see that it could be effective against brute force attacks. A real user would assume they fat fingered their password and try it again, a brute force attack would miss the password and carry on forever.