In many applications when you make a mistake in either your user name or password you get a non-specific error indicating that either the user name entered does not exist or the password is incorrect for that user name.
I (naively) would expect the application to specify which one of the two errors happened. Is there any reason for not differentiating between them? I guess it would make it more difficult for an attacker to guess a correct user name/password combination, but is there any literature, research or similar that backs up this assumption?
The reason would be security: it prevents finding out which user names exist based on failed attempts.
This should be balanced with the user experience; if you’re told that either your user name or password is incorrect, it can be perceived as very unhelpful or annoying.