Thanks for your comments. But if we put aside a security part and take a real user (not a cracker) - which made a mistake (or forgot username (password)) while trying to sing in to his account. I have to say him "The username or password is incorrect. Please try again." Maybe the simplest way in such case to redirect a user to another page with the same fields (username and password) with a message about incorrect data?