I was just writing this up as a feature request for Paperless, and then realised we don't do this either!
Basically - when a user fails a login, the HTTP response code should be 401, not 200. This allows anything monitoring logs or acting as a reverse proxy to be aware of the login failure, and helps to prevent brute force attacks.