Quite often, an authentication failure on the application login page reveals unwanted information. For example, a user enters the wrong username and password, then the application throws an error saying username not found. This is revealing whether or not the given user belongs to the application or not. The attacker could simply write a script to check 1,000 users for validity. This type of attack is known as user enumeration. Hence it is recommended that authentication failure messages should be generic in nature and should not reveal if the username/password was wrong. A generic message such as either username/password was wrong doesn't necessarily prove if the username belonged to the application or not.