So? I'm advocating showing the correct error message... a timing attack is irrelevant in this case.
For that matter, adding a random 500-2000ms timer before returning a failed result would likely be as effective, and not lead to a bad user experience.