The correct way to handle this is to have a single error message instead of two, so that bad password is indistinguishable from bad username.
The correct way to handle this is to have a single error message instead of two, so that bad password is indistinguishable from bad username.