Which error message is better when users entered a wrong password?

Just adding some extra information. OWASP guidelines give you recommendations about this issue

https://owasp.org/www-project-cheat-sheets/cheatsheets/Authentication_Cheat_Sheet.html#Authentication_and_Error_Messages

An application should respond with a generic error message regardless of whether the user ID or password was incorrect. It should also give no indication to the status of an existing account.


The idea is to not give hackers extra information. If you say wrong password, you've told a hacker that they have a correct username, and vice-versa. Although what you've said is true, on some sites it is possible to determine if you've guessed a username via other means.


The easiest and most common phrase to use is:

"You have entered an invalid username or password"

The reasoning behind this is to prevent someone from trying to brute force your account by 'guessing' the password. If the attacker gets an error detailing the password is incorrect, then they could try different passwords until getting it right.

However, if you provide a generic message like the one above, the attacker doesn't know if the user, password or combination of both is correct or not.