I have had some success using timing against UNIX to find out what usernames are valid on systems with finger &c disabled. If a username does not exist, it returns the "Login incorrect" a lot faster than it would if the username existed but the password was incorrect. I wonder how many other systems are vulnerable to this sort of attack.