I don’t think the msg is the heart of the issue, the real issue is there is no reason to spell out the user name and the password attempted is not going through. An error msg without the two serves just as good, because the person who have the authority to touch the db should also be the one who remembers the credential. Similarly an auto login(with saved password) with Google account or Yahoo Account or Microsoft Account will NEVER spell out what password it attempted. They only tell you that the saved password is no good, you can retry to reset it. Imagine when your browser spelling out ALL passwords it saved for auto login simply because the router is offline. The connection string to a db deserve similar security to just an online app. IMO, passwords should NEVER be shown. For another example, if you log in SQL Express itself using any Microsoft utilities such as the SSMC, it will only says the user name and password combination is no good and will NEVER spell out the password you saved. To me, it is a kind of proper IT culture to hide all passwords as much as possible.
In the environment of the live system where I deployed, most temp workers knows SQL to some extent because most of them are college IT and engineering students.