Piccolo's current `BaseUser.login` implementation is vulnerable to time based user enumeration