Are you using the default password validation mechanism: `auth_ldap_server` or a custom interception script?
If the latter, you can set custom messages in the state, which can be picked up in the .xhtml documents.
Maybe Sahil can help you figure this out on this.