Need to consider account status in authentication process

[longrunningprocess]

authentication should not pass when an account is either inactive or locked, even if the password is correct.

Also important to take into account timing attack prevention.