Looking at the bigger picture of login/auth, timing might easily tell you the difference between valid and invalid usernames (information that you would not normally expect to leak from login)
A clumsy password implementation may give away information about valid password rules, imagine a system that validates passwords for length/complexity etc. (either before or after hashing) and rejects based on that, without comparing the hash values (or worst case, without even performing the hash) again more information has been leaked in the timing.
Hashing would make this technique less useful, but not necessarily useless. For instance, if there is no salt involved, and the hashing algorithm is known (or guessable), you can still make some use of the information leaked.
The difference is that you are not being leaked information about the password, but about the hash of the password. One problem with trying to brute force an authentication over the internet is that it is slow and potentially noticeable by the server admin (then you get cut off). If you exploited a timing attack from a comparison between raw md5's or sha1's of a password, then you can use the leaked information to focus your brute force. Basically, you could use a rainbow table to help you pick what passwords to try next, getting a lot more bang for your buck. In this way you can use the combination of offline brute forcing to generate possible hashes, and the timing attack to select which passwords to actually send.
Now an unknown salt would still ruin your day, just like it is designed to make life difficult for rainbow tables in the first place.
If your salt is 'short' you can still perform this attack.
Assume a timing oracle, which when queried with a plaintext password will return an integer which is the length in bytes of the matching hash prefix.
Choose a small prefix length (perhaps 3 or 4) and send distinct passwords to the oracle until you have more than one input password which produces the length you've chosen.
With this information you can perform an offline brute force of all possible salt values to reduce that set to only the salts which produce the correct matching prefixes when used with the passwords from the previous step.
Too many salts in this set? Test each one by generating a candidate password that has the same prefix as your test cases and then ask the oracle if it agrees that the prefixes match.
Once you know the salt, perform a dictionary attack against the partial hash you already know from guessing the salt to create a set of candidate passwords. If there are too many passwords to test them all, then generate a longer prefix. Either trying all the passwords or generating a prefix which is one byte longer than the last one is going to be a harder problem. Choose the easier of the two problems at each iteration.
It can work the same way. You just slowly figure out the hash: this pw for this user was a bit faster than all the other failures, so we know the first byte of the hash is ...
If you have a bunch of hashes precomputed, you can start to figure things out pretty quick.
The point is it's still leaking information about what's going on.
This makes sense, I hadn't thought of knowing the hashing method and it being unsalted. Knowing those it would be just as easy to whittle the list down exactly the same way.
Err, not exactly the same way. Sure if you have a rainbow table of all the possible values of the hash construct then it would take a negligible amount of time. Doing the math of all possible values in the Hash space you will quickly see that at this point in time and space it's not plausible to have that.
You may then argue that you can have the value space of all popular passwords, but that isn't going to be any more effective than just trying all of the possible passwords.
A clumsy password implementation may give away information about valid password rules, imagine a system that validates passwords for length/complexity etc. (either before or after hashing) and rejects based on that, without comparing the hash values (or worst case, without even performing the hash) again more information has been leaked in the timing.