The only thing is, if you don't wait until the user starts entering the password, the attacker can theoretically scrape the page with your username and find out the per-user image.
You don't get the image based on the username, the image is stored as a cookie, so it's showing you that the Yahoo you logged in to this time is the one that new your cookie details before. Even if an attack-site can read your cookie they don't know which image to pair it with (though maybe it can be taken from a local cache somehow?). The image is a per-device (or per browser?) security indication.
Oh! Well that's a smart idea... that's kind of like showing you your private "profile picture" when you are logged in.
But if you have a session cookie, then you hardly need a password. Unless we are talking about a public computer where you need to enter your password.
I am talking about the times when you DON'T have a session cookie, and you are prompted to sign in with a password. That's the thing that could be spoofed.
