[arank]

And how do you know if someone was playing around with usernames or genuinely trying to login? I agree with 'dvdhsu' comment that if its a public service where others can see username its fine to load error form with username but if its a service where other users couldn't see your username its not a good idea to load error form with username irrespective of whether it was right or wrong.

[wdewind]

Why does it matter? You assume the best and help the good guy, and in the worst case you don't help the bad guy.

You shouldn't be thinking about security in your validation anyway.

[mooism2]

We should always be thinking about security, particularly when validating security credentials. (But remember that security is a trade-off.)

But I don't see the security cost in populating the username box with what the user previously typed there. We're just echoing back what the user typed. The only extra information we've provided is that the potential attacker can't login with that username+password --- we don't say whether this is because the username is invalid or because the password is incorrect for that username.