Is there any differences between the following two error messages from security point of view when users entered a wrong password?
Wrong username or password.
Wrong password.
For example, when you enter a wrong password on the Gmail.com, it will tell you "The username or password you entered is incorrect".
Is there any considerations for security reasons? I think the error message: "The password you entered is incorrect" is more clear to users, And, What's more, it's very easy to check whether a username is exists on the Gmail.com: just click "Can't access your account?" and enter the username. If the username doesn't exists, it will tell you.
The idea is to not give hackers extra information. If you say wrong password, you've told a hacker that they have a correct username, and vice-versa. Although what you've said is true, on some sites it is possible to determine if you've guessed a username via other means.