> This doesn't address timing attacks, which are why this is done in the first place. If the code checks only for a username existing and returns the error message, this takes a measurably different amount of time compared to then also looking up if the password matches.
Timing attacks are solved by how you implement the backend checking code and not how you present the result to the end user in the most user friendly manner.
Timing attacks are solved by how you implement the backend checking code and not how you present the result to the end user in the most user friendly manner.