Studies on Sign In Authentication Error Messages
So, after browsing other threads, I found some information on the question of when a user is logging in, and fails to authenticate do we give the user the message "Username or Password is incorrect" or can we specifically say "No account with that username" and "Password is Incorrect". I found there is no security threat if we give the more specific error message (as malicious users can typically find the usernames/emails through a service's through the registration and password recovery processes anyway) and giving the specific message provides the user a much better experience.
Unfortunately, it doesn't seem like the organization will get on board with this unless I have some data to back it up. SO MY QUESTION IS, are there any studies done about the benefit of telling the user specifically that it was their password that they got wrong? If not, any ideas on how I could create a prototype to specifically test for this and get organic results? It just makes it hard to test because you can't organically have someone mistype or forget their username/password. Any help on how I would get some data/proof to back this up would be helpful! Thank you!