Comment 1 for bug 457434

Ithink the feature you're referring to is the growing login delay on invalid password for valid username/email.

                This delay doesn't give an attacker any indication that they entered a correct email vs. invalid email (wrong password both cases) because the delay is not in the response with an error message, but in the future time a subsequent login can succeed. In other words, in both cases the attacker gets an instant response with the same error message.

                It's true that the valid email case will cause an additional "update" SQL statement to execute (the delay time is incremented). This is on top of a couple other queries in both cases, and taking network time into consideration, I would guess this would be difficult to measure.

                So, leaving this here but lowering priority.