diff --git a/CHANGES.rst b/CHANGES.rst
index 7f20e762..1103c78a 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -11,6 +11,9 @@ Added
 
 - ``DISABLE_PASSWORD_RESET`` configuration option to disable password recovery. :pr:`46`
 
+Fixed
+*****
+- ``HIDE_INVALID_LOGIN`` behavior and default value.
 
 [0.0.8] - 2022-03-15
 ====================
diff --git a/canaille/conf/config.sample.toml b/canaille/conf/config.sample.toml
index 7f057711..58a6838d 100644
--- a/canaille/conf/config.sample.toml
+++ b/canaille/conf/config.sample.toml
@@ -33,12 +33,14 @@ OIDC_METADATA_FILE = "canaille/conf/openid-configuration.json"
 # If you have a sentry instance, you can set its dsn here:
 # SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0"
 
-# If HIDE_INVALID_LOGINS is set to true, when a user tries to sign in with
-# an invalid login, a message is shown saying that the login does not
-# exist. If HIDE_INVALID_LOGINS is set to false (the default) a message is
-# shown saying that the password is wrong, but does not give a clue
-# wether the login exists or not.
-# HIDE_INVALID_LOGINS = false
+# If HIDE_INVALID_LOGINS is set to true (the default), when an user
+# tries to sign in with an invalid login, a message is shown indicating
+# that the password is wrong, but does not give a clue wether the login
+# exists or not.
+# If HIDE_INVALID_LOGINS is set to false, when an user tries to sign in with
+# an invalid login, a message is shown indicating that the login does not
+# exist.
+# HIDE_INVALID_LOGINS = true
 
 # If ENABLE_PASSWORD_RECOVERY is false, then users cannot ask for a password
 # recovery link by email. This option is true by default.
diff --git a/canaille/forms.py b/canaille/forms.py
index 3fd5ba6c..41d98b3a 100644
--- a/canaille/forms.py
+++ b/canaille/forms.py
@@ -31,7 +31,7 @@ def unique_group(form, field):
 
 
 def existing_login(form, field):
-    if current_app.config.get("HIDE_INVALID_LOGINS", False) and not User.get(
+    if not current_app.config.get("HIDE_INVALID_LOGINS", True) and not User.get(
         field.data
     ):
         raise wtforms.ValidationError(
diff --git a/demo/conf-docker/canaille.toml b/demo/conf-docker/canaille.toml
index 551d77f1..5c02cedc 100644
--- a/demo/conf-docker/canaille.toml
+++ b/demo/conf-docker/canaille.toml
@@ -33,12 +33,14 @@ OIDC_METADATA_FILE = "conf/openid-configuration.json"
 # If you have a sentry instance, you can set its dsn here:
 # SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0"
 
-# If HIDE_INVALID_LOGINS is set to true, when a user tries to sign in with
-# an invalid login, a message is shown saying that the login does not
-# exist. If HIDE_INVALID_LOGINS is set to false (the default) a message is
-# shown saying that the password is wrong, but does not give a clue
-# wether the login exists or not.
-# HIDE_INVALID_LOGINS = false
+# If HIDE_INVALID_LOGINS is set to true (the default), when an user
+# tries to sign in with an invalid login, a message is shown indicating
+# that the password is wrong, but does not give a clue wether the login
+# exists or not.
+# If HIDE_INVALID_LOGINS is set to false, when an user tries to sign in with
+# an invalid login, a message is shown indicating that the login does not
+# exist.
+# HIDE_INVALID_LOGINS = true
 
 # If ENABLE_PASSWORD_RECOVERY is false, then users cannot ask for a password
 # recovery link by email. This option is true by default.
diff --git a/demo/conf/canaille.toml b/demo/conf/canaille.toml
index fa3b8746..7fcd7578 100644
--- a/demo/conf/canaille.toml
+++ b/demo/conf/canaille.toml
@@ -33,12 +33,14 @@ OIDC_METADATA_FILE = "conf/openid-configuration.json"
 # If you have a sentry instance, you can set its dsn here:
 # SENTRY_DSN = "https://examplePublicKey@o0.ingest.sentry.io/0"
 
-# If HIDE_INVALID_LOGINS is set to true, when a user tries to sign in with
-# an invalid login, a message is shown saying that the login does not
-# exist. If HIDE_INVALID_LOGINS is set to false (the default) a message is
-# shown saying that the password is wrong, but does not give a clue
-# wether the login exists or not.
-# HIDE_INVALID_LOGINS = false
+# If HIDE_INVALID_LOGINS is set to true (the default), when an user
+# tries to sign in with an invalid login, a message is shown indicating
+# that the password is wrong, but does not give a clue wether the login
+# exists or not.
+# If HIDE_INVALID_LOGINS is set to false, when an user tries to sign in with
+# an invalid login, a message is shown indicating that the login does not
+# exist.
+# HIDE_INVALID_LOGINS = true
 
 # If ENABLE_PASSWORD_RECOVERY is false, then users cannot ask for a password
 # recovery link by email. This option is true by default.
diff --git a/tests/test_account.py b/tests/test_account.py
index 848b8f67..b7690fe7 100644
--- a/tests/test_account.py
+++ b/tests/test_account.py
@@ -123,7 +123,7 @@ def test_impersonate(testclient, slapd_connection, logged_admin, user):
 
 
 def test_wrong_login(testclient, slapd_connection, user):
-    testclient.app.config["HIDE_INVALID_LOGINS"] = False
+    testclient.app.config["HIDE_INVALID_LOGINS"] = True
 
     res = testclient.get("/login", status=200)
     res.form["login"] = "invalid"
@@ -134,12 +134,12 @@ def test_wrong_login(testclient, slapd_connection, user):
     res = res.form.submit(status=200)
     assert "The login 'invalid' does not exist" not in res.text
 
-    testclient.app.config["HIDE_INVALID_LOGINS"] = True
+    testclient.app.config["HIDE_INVALID_LOGINS"] = False
 
     res = testclient.get("/login", status=200)
     res.form["login"] = "invalid"
     res = res.form.submit(status=200)
-    assert "The login &#39;invalid&#39; does not exist" in res.text, res.text
+    assert "The login &#39;invalid&#39; does not exist" in res.text
 
 
 def test_admin_self_deletion(testclient, slapd_connection):
diff --git a/tests/test_forgotten_password.py b/tests/test_forgotten_password.py
index 35e5ea3c..c9e65624 100644
--- a/tests/test_forgotten_password.py
+++ b/tests/test_forgotten_password.py
@@ -30,7 +30,7 @@ def test_password_forgotten_invalid_form(smtpd, testclient, slapd_connection, us
 
 
 def test_password_forgotten_invalid(smtpd, testclient, slapd_connection, user):
-    testclient.app.config["HIDE_INVALID_LOGINS"] = False
+    testclient.app.config["HIDE_INVALID_LOGINS"] = True
     res = testclient.get("/reset", status=200)
 
     res.form["login"] = "i-dont-really-exist"
@@ -38,7 +38,7 @@ def test_password_forgotten_invalid(smtpd, testclient, slapd_connection, user):
     assert "A password reset link has been sent at your email address." in res.text
     assert "The login &#39;i-dont-really-exist&#39; does not exist" not in res.text
 
-    testclient.app.config["HIDE_INVALID_LOGINS"] = True
+    testclient.app.config["HIDE_INVALID_LOGINS"] = False
     res = testclient.get("/reset", status=200)
 
     res.form["login"] = "i-dont-really-exist"