@2016-02-17 Updated
The login form
http status should be 200 OK
.
The error
http status better use 401 Unauthorized
.
(The name may be confused, 401 is about authentication. RFC7235
3.1. 401 Unauthorized
The 401 (Unauthorized) status code indicates that the request has
not been applied because it lacks valid authentication credentials
for the target resource. The server generating a 401 response MUST
send a WWW-Authenticate header field (Section 4.1) containing at
least one challenge applicable to the target resource.
If the request included authentication credentials, then the 401 response indicates that authorization has been refused for those credentials. The user agent MAY repeat the request with a new or replaced Authorization header field (Section 4.2). If the 401 response contains the same challenge as the prior response, and the user agent has already attempted authentication at least once, then the user agent SHOULD present the enclosed representation to the user, since it usually contains relevant diagnostic information.
If you want to handle if no permission right, you may need 403 Forbidden
[RFC7231]
HTTP 422 is used for WebDAV, but the meaning might fit the needs. (Not suggested for most cases)
For more information, please see the comment of Cássio Mazzochi Molin
below.
@2016-02-12 **Updated** *(This is the reference to the accepted answer.)*
The login form
http status should be 200
.
The error
http status better use 400
.
HTTP 422 is used for WebDAV, but the meaning might fit the needs.
HTTP 401 is for authorization. And is not suitable for authentication.
@2016-02-12 Original
HTTP 422 is now better choice other than 400 / 401. HTTP 422 is an alternative choice.
Because it means the server understand the data but is not correct for part of the data. i.e. It can show client that username / password incorrect.
11.2. 422 Unprocessable Entity
The 422 (Unprocessable Entity) status code means the server
understands the content type of the request entity (hence a
415(Unsupported Media Type) status code is inappropriate), and the
syntax of the request entity is correct (thus a 400 (Bad Request)
status code is inappropriate) but was unable to process the contained
instructions. For example, this error condition may occur if an XML
request body contains well-formed (i.e., syntactically correct), but
semantically erroneous, XML instructions.
RFC4918