That sounds like tarpitting, or perhaps timing attacks protection, rather than anything wrong in the password check pipeline.