The error message on the default log in pages should always be a generic message so that it does not have any information leakage when AuthenticationException.message includes details about the failure. To help developers, we should also ensure that the failure is logged at the debug level (likely in the AuthenticationManager so that it happens for all failures).