pac4j-sql is vulnerable to timing attack. The password encoding of an authentication request is performed after a user is found. This causes a delay and provides hint to an attacker if the user exists.