Well, in Facebook's case, it's more than double (it appears to be 3 or 4 at most), and it is done smartly (the reverse caps try is only performed if you typed in your password with capslock turned on), and with a proper system to throttle attempts before locking an account, it seems reasonable to me. See https://security.stackexchange.com/a/214815 and its sources.