[sologoub]

One thing that jumped out at me with the "better" error messages, is that it makes it that much more hackable - if I can hit the service and find valid usernames, I can then try to get into those.

If you have a catch-all error message, it's much harder to guess the username/password combo.

[MortenK]

That argument is actually adressed in the post: "The engineering team, ever mindful of security, argued that being generic about username and password errors makes it harder for bad guys to guess usernames by pounding the form with random words or email addresses. But after some further consideration, we decided that it was a false risk, as the username reminder form already tells you if a username exists, and is not a significant security risk for the bajilions of sites that have them".

[jules]

You are very likely already exposing that via a timing attack. If you disallow many login attempts in quick succession then it is also a non issue. If you have that in place and somebody is able to guess the password of a random account (it's an account found by randomly trying usernames after all), then it must be an extremely bad password. The benefits far outweigh the minuscule security risk.

[nedwin]

As the article states, they decided that this was a worthwhile risk to take. Users could already use the error handling in new username creation to determine if a username existed.

They decided that the net result outweighed the increased risk.

[matthewowen]

That exact point was addressed in the article (or were you simply unconvinced by how it was addressed?)