It doesn’t. Cracking programs don’t use the user login form repeatedly. They use the same algorithm that creates the publicly encoded password to generate encoded passwords and keep going until they have a match. Besides getting the encoded password and salt, everything is done offline.
This just creates a really bad user experience.









Not even then. Brute force cracking programs don’t rely on the server to indicate if the attempted password is correct.