There are a few ways to do this:

Use a botnet to launch the attack from multiple computers, so that each computer only tries a few times before being locked out.

Use a password dictionary and try common passwords first, so that the account is only locked out after trying a large number of passwords.