Incoherent responses to authentication failures

[nomennesc-io]

When a user enters a wrong username, they are presented with ERR904, indicating the username doesn't exist. This can be abused by attackers to bruteforce discover which usernames are valid.

When a user enters a wrong password or OTP, they don't get any kind of message, just an empty login page. That might cause some confusion.

I'd like to see any kind of authentication failure, be it a wrong username, password, or OTP, be met with the same message indicating to the user the authentication has failed and asking them to try again.