You are on issue re: information leakage and This could be a crucial thought for any person rolling their own authentication/authorization scheme. +1 for mentioning OWASP. Educate customers and advise them about the most recent hacking developments so which they can prepare them selves and not become a victims of http://pigpgs.com