Shill currently uses heuristics to determine if the error is a bad passphrase.
This results in a UI notification for bad password only if (a) we have never connected to that network before or if we fail more than a threshold (3) # of attempts. 
We should be using the supplicant state and reason code-  if state is 4WayHandshake and reason code is PREV_AUTH_NOT_VALID, use that to set shill's error correctly and get the right UI notification (kErrorBadPassphrase). 


bool WiFi::SuspectCredentials(
    WiFiServiceRefPtr service, Service::ConnectFailure* failure) const {
  if (service->IsSecurityMatch(kSecurityPsk)) {
    if (supplicant_state_ == WPASupplicant::kInterfaceState4WayHandshake &&
        service->AddSuspectedCredentialFailure()) {
      if (failure) {
        *failure = Service::kFailureBadPassphrase;
      }
      return true;
    }
  } else if (service->IsSecurityMatch(kSecurity8021x)) {
    if (eap_state_handler_->is_eap_in_progress() &&
        service->AddSuspectedCredentialFailure()) {
      if (failure) {
        *failure = Service::kFailureEAPAuthentication;
      }
      return true;
    }
  }

  return false;
}

bool WiFiService::AddSuspectedCredentialFailure() {
  if (!has_ever_connected()) {
    return true;
  }
  ++suspected_credential_failures_;
  return suspected_credential_failures_ >= kSuspectedCredentialFailureThreshold;
}

Filed based on feedback report: https://feedback.corp.google.com/product/208/neutron?lView=rd&lReport=50653162073