Enumeration attack in i18n code

[Ichabond]

The current code makes a distinction between invalid usernames and invalid passwords. The different error messages can be used to enumerate existing users.
Namely: LoginError::PasswordIncorrect and LoginError::UsernameNotFound. Resolution would probably just be merging these 2 into 1 eg.: LoginError::LoginFailure.

[thomwiggers]

By extension, https://github.com/zofrex/better-than-basic/blob/master/src/users.rs#L53-L56 provide a timing side channel that also allows to distinguish between valid and invalid users. Some hash should always be verified, just to prevent this timing problem. See also for example the django authenticate() method.