If you try different user names, it [the PHP code] will take a different amount of time depending on if the username is there or not. If password_verify takes 0.1 seconds, you can simply measure that difference to determine if the username is valid or not. On average, requests for taken usernames will take longer than those for available ones.@ircmaxell
In most code, validation for logins will take longer if the username/password exists, as additional code routines are then called for further processing.
It’s this basis that is used in timing attacks. Since these kind of timing can be used at brute-force logins to determine if usernames/e-mail addresses exist or not, it could be argued that "Invalid Username or Password" alerts make for useless error messages, as they don’t tell the user what exactly is wrong, but an attacker can figure it out nonetheless. So you sacrifice usability for a security measure that isn’t one.
Having said that, I still believe in disclosing as little information as possible to your “attacker”. I consider it far safer to say “invalid input” than to say “username exists, but your password is wrong". Even if this means less of a user experience, the security (even through obscurity) should remain a priority. I like how @ircmaxell closes his post, as it summarises it pretty well.
From a practical standpoint, I wouldn’t worry about timing attacks until I was confident that the other potential vectors are secured. With that said, I do think it’s quite interesting and worth knowing about. But like everything else in security and programming, it’s all about tradeoffs.@ircmaxell