Security perspective of time to process logins Asp.net 8

I have started reading the book Advanced ASP.NET Core 8 Security: Move Beyond ASP.NET Documentation and Learn Real Security by Scott Norberg. See also amazon link.

Different from the most security books’ authors, Scott Norberg knows how to code and his knowledge shines in the book.

Highly suggested for any senior software .Net developer.

I am reading the chapter for Authentication and Authorization. There is a very interesting figure in the book which you can see below:

process-time-logins

This figure shows the processing time when you try to login to asp.net site for existing users and not existing users. This is due to fact that if a user does not exists asp.net immediately returns from the call. Implementation could be seen in CheckPassword method of UserManager.

This means that an attacker will be able to guess existing usernames with a little bit effort.

The author, Scott Norberg, summarizes this very well. You might have learned that minimizing server processing is always the right approach. However, I want to highlight that this principle can sometimes be detrimental to security.

This is what I like about this book. Scott Norberg is clearly aware of trade-offs between security and UX, security and performance. Not everyone is.