Being able to determine if a username is valid without a valid password is a security flaw Even something as simple as taking longer to validate the password when the username is a valid one can also lead to user enumeration