How best to do user login validation

When working on a new project I always try and look at some old code and see if it can be improved in some way. Today it’s the validation on a user login form; and I need some help!

To be honest I can’t wrap my head round getting the right balance of how detailed to be with user validation in a couple of instances.

In a nutshell the question is:

Should I provide an error saying both the username and password are wrong if only one of them is actually wrong?

I was thinking about being more specific with the error messages. So if the username was correct but the password wasn’t only return an error detailing the password as wrong. Also on the flip side showing only a error for the username being wrong if the password was right.

I’ve scrapped the second idea because it seems stupid to confirm a password is correct if the username is wrong, surely a password can only be right once it’s associated to a username. There has to be implications on security too by confirming a password is correct and all a hacker would need to do is figure out the right username and then they’d be in.

So that left me with showing that only the password is incorrect if the username is right, but doesn’t the same problem exist in that I’m confirming a valid username and all a hacker has to do now is figure out the right password.

Does presenting an error message that says ‘some’ information is wrong work better by not telling some hacker what is or is not correct? But that doesn’t balance well with helping out users identify where the error actually lies.

So if anyone can help me come up with what they’d maybe do and why that would be really helpful.