I can login 3 times with a bad password as a user, then the fourth time correctly and the user gets a root shell.
what version of pam are you using?
marking as later just to hide this until it's fixed.
sys-libs/pam-0.75-r5 It only seems to occur through login, which minimizes its danger, I suppose.
we have a new shadow that fixes this now.
this is all fixed.