One thing to observe here is that _generally_ one does not want to reveal more information to a potential attacker than is necessary. In this case it may be useful for a bad guy to know that there is no plaintext password vs. only knowing that authentication failed. Put another way : attempts to authenticate generally result in a binary succeed/fail result (excepting perhaps cases like 'your password has expired, which is only returned when an old but valid password is presented).
