[zck]

There's a key question whether or not to do this that I haven't seen discussed: is the fact that a given login has an account private information? Sometimes it is, sometimes it isn't.

For example, on HN, it's trivial to find out whether a given username has an account -- just visit https://news.ycombinator.com/user?id=zck , and you'll see whether zck is a registered account.

On services like that, I don't see the harm in distinguishing "password incorrect" errors from "no user" errors, since that doesn't give you private information.

But on private sites, or if you're logging in via email? That's a different story.