I'm not sure about that Error Messages, or at least the example. I know I always find it incredibly frustrating to get meaningless fluff back as error messages from a website. If the error has some meat to it I might be able to remedy the thing myself by altering the form data or hand-parsing the URL.

Simply saying "Invalid Login" doesn't buy you any securty if you're sending in the clear over the wire, so why make it harder on the user? There are other ways of handling brute-force attacks that you are expressing worry about here (think escalating delays for failures).

On the other hand, if you are truly paranoid minimizing the information you betray about your system is probably a good thing e.g. paths, server information (HTTP headers, etc.) (unfortunately?) that means no "Powered by Apache" feathers either ;-)

As for %ENV I stand by "Re: perlsec question".

--
perl -pe "s/\b;([st])/'\1/mg"