Most banks, cc, and similar financial services, will lock you out after three wrong password attempts--so a brute force attack, by trying lots of passwords won't work in this situation--why every site that requires a password doesn't have the same "three strikes and you're out" I don't know.
A while back, someone from Venezuela was able to "hack" my gmail acct and reset my password and locked me out--fortunately gmail has ways of letting the real user of a gmail acct back in.^ Since switching to 2-step verification, I haven't had a problem with gmail. [I don't know how they got into my acct in the first place.]
[PS: One nice feature gmail has, is that you can see the ip addresses of the last several logons to one's acct, so if your acct was breached you could see the source.]