Great article, but something to note for #4: while overall error messages should be more detailed…
Nicholas Moore

He wrote, that he tried multiple passwords. So it seem that this was a registration form. In which case the information about what is expected of new password (some number, capital letter, etc.) should be clearly visible.

You are right, in login scenario there should be no hint about how wrong the password on the input was. And it shouldn't be even possible for the web/app to know that, because server shouldn't keep passwords in plaintext but rather their hashed versions, even better hash of password + salt.