Incorporate ideas from OWASP's Authentication Cheat Sheet

I think most importantly, [authentication errors](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages) should be generic. Also, usernames could be made [case-insensitive](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#user-ids).
