generate a random number (e.g. a uuid), log it with the error, and display that number.

doesn't leak data because it's different every time, but you can uniquely pair it up with what they are seeing.

I can tell you exactly why I don't do this, for my app.

I don't want to indicate which of the fields is an issue.

Most folks use Sign up with Apple, though, which obviates this.

The best error message is to avoid the error; either by effective design, or by good affordances.

But this is what WFM. YMMV.

This ignores the security risks from being too verbose and/or specific with error messages, especially if they’re coming from a server. You’ll usually fail security/pen-test audit.

I agree that doing a better job of helping the user is laudable, but you need to know which battles to fight.

Giving a unique error number that can be referenced by a support team (who could look up the event, look at stack traces, etc.) is the best way to deal with truly exceptional events. Otherwise, if it comes to authentication or authorisation, you have to extremely careful what information you share.