Authentication function should not reveal whether user account doesn't exist

[aadamowski]

In current mongoose-auth version, when trying to authenticate using the password module against an non-existent account, one gets an error "User with login... does not exist".

It's considered bad security practice to differentiate user authentication feedback based on existence of the given account (see: OWASP-AT-002.

An attacked may user the information to more effectively attack the site using e.g. brute force attacks since he can perform a lower cost enumeration of existing accounts.

Ideally, the mechanism should prevent an unauthenticated user from obtaining the information whether the given login corresponds to any account.

This includes active prevention against timing attacks - a random delay should be introduced during each unsuccessful authentication attempt so the attacker cannot analyze request/response timings and infer whether the account exists.

Without that, an attacker will receive a clear hint - a slightly shorter pause before the response since there's no hash checking when the account couldn't be found in the database.