Some of this depends on what you mean by “tries.” But here is a reasonable first whack.
Suppose that the password is
ab and you want to give a person two tries. Take q0 to be the initial state, take q2 to be the only accepting state, take q3 to mean “first try failed, initalize second try” (and it might light a light, warning the inputter that their first try failed). Also take q5 to be the (non-accepting) state meaning two-try failure.
Coming from q0 are two arrows, one to q1 labeled
a and one to q3 labelled
b. From q1 are two arrows, one to q2 labeled
b and one to q3 labeled
a. From q2 is a loop, labeled
You get the idea. From q3 are two arrows, one to q4 labeled
a and one to q5 labeled
b. From q4 come two arrows, one to q2 labeled
b and one to q5 labeled
a. From q5 is a loop, labeled
This is of course hopelessly naive from a security standpoint. But it gets across the basic idea.