You're making a normative argument; I'm making a positive one.

You ought not try random usernames/passwords on someone's public server, I agree. But if you expose a public server that lets someone type a username/password, you had best be ready for someone to guess values.