They don’t. Validation or failure both take the exact same amount of time. Perhaps the issue is that, wherever you feel you are experiencing this, a failure is able to send a simpler failure message than a success, which presumably then has more to do since after you validate, it then needs to load whatever you were trying to access in the first place.

It takes only one check to validate the credentials. Once they are valid much more work is done on the server to actually complete the login process and establish the session.

A couple of reasons. One is referred to as “tarpitting”, where an artificial delay is introduced when there is an invalid password attempt. This is a measure against brute forcing password attempts.

On a network, your personal computer retains a password cache. This cache improves performance of local authentication. If you unlock the workstation with the same password you used to log on, then the password is assumed to be good. This allows the workstation to unlock quickly. Without the password cache, unlocking the workstation would require validating the password on the network, which can take longer.

Assuming we’re talking about when logging in to a computer, as said elsewhere, it takes exactly the same time to do either. However, if the validation fails the computer just has to put up a message it already has prepared in memory. If it succeeds, the computer has to load up the desktop and other applications that weren’t running during the login session, which takes time.