I came across good blog entry by Steve Riley on Password policies
Account lockout is a poor substitute for good passwords -- and is one of the most expensive security features you can use. Let's think about this by considering the threat. What threat does account lockout (attempt to) mitigate? Password guessing. How can you make password guessing attacks become useless for an attacker? Two ways: implement lockouts or use good (meaning long) passwords."
More here http://blogs.technet.com/steriley/archive/2007/09/04/passwords-policies-once-again.aspx