[jfaucett]

the only reason I don't do this is because a hacker could potentially guess an email or username until its correct, then brute force his way in with a password (because a lot of users don't make secure passwords that are long, multi characters, etc). Maybe it makes it a little bit more difficult but for me its worth it. Also, even google does this and I think most end users are accustomed to seeing this message.

[merty]

I knew someone would say this :)

This is not an excuse for most of the sites (including Codecademy) because when you follow the "Forgot password" link and type in an email address, they instantly tell you whether that email address exists or not.

If you are displaying a message such as: "If the email address you provided is registered, you will receive an email shortly." then fine :)

[gingerlime]

Very good point. This should be mentioned on the blog post too, and maybe brought to the attention of the site owners. It definitely makes a stronger case for either:

* avoiding giving away this piece of information on the forgot password screen

or

* telling the user whether it's their password or username that is wrong.

You might want to take a look at this security stackexchange question http://security.stackexchange.com/q/13079/7306

update: I noticed this was in fact mentioned on / added to the blog post.