I've waited 5 seconds and here was no valid password, why I need to allow that?
If a user had an invalid code you should have denied them