If you're not careful how you implement the time delay, you can create a security vulnerability with this too.

There was an old version of Novell NetWare that would delay the reply packet if the request contained a bad password. However, it did NOT also do the same thing on bad username. As a result, you could brute-force a list of usernames for that server by simply watching for whether the delay occurred.

It's merely an information leak, but it could be an useful early step in an attack.