[HeyImAlex]

Yep, the only way to really leak no information is to just always say that the action (sign up, forgot password) was sucessful, which is awful from a ux perspective. Don't forget to go through the motions of registration/recovery to stave off timing attacks as well.

[mistercow]

I have actually worked on systems where the signup form allowed multiple users to have the same user name, and the log in process consisted of checking for the existence of a (username,password) pair. Needless to say, I regarded this as a major design flaw and fixed it (except for the existing non-unique users). But there is, for all the reasons it shouldn't be done, a situation where the signup form doesn't leak usernames.