On a similar note, why do we have to use the error message "Wrong username or password"? Can't any hacker just try to make an account with a username to see if it exists?
The username might exist, but be the wrong one. In such a scenario, the password is correct for the intended account but not for this particular account. Meaning that the message "Wrong password" will confuse the user.
> On a similar note, why do we have to use the error message "Wrong username or password"?
Any hacker can try doing that irrespective of the message that you decided to show. Besides this error message, you can say - "Invalid credentials" or "Your information do not match with our records"