Usability might trump security, but when the "username" is actually an email address, revealing whether it's correct has implications beyond security. Don't make the mistake of becoming a clearing-house for spammers to find real email addresses.

I never obfuscate my own e-mail address; I find spam to be a near-enough solved problem with Gmail.

And I definitely don't agree that you should compromise usability on this point to avoid being a "clearing-house for spammers". Does that even happen? Would someone really try a ton of unconfirmed or randomly generated addresses against sites to verify that they are in use for accounts? If so, throttling requests would probably be a better solution. Or obfuscate the login validation message if you must, to make it harder for bots to read.

If you don't want everyone to be able to see what accounts exist, but still want to be more helpful than "Invalid email or password", what you could do is send an e-mail if the account does not exist, saying "You or someone else tried to log in but there is no account for this email. Did you get it wrong?"

Perhaps you could do that just for password reset, and link from a failed login to the reset. The user will then have a way to know which field was incorrect without everyone knowing the account exists.

entropay.com apparently does what I suggested, as exemplified here: http://lh4.ggpht.com/-DYZxz... (via http://www.troyhunt.com/201...

I can't tell how many times I've been frustrated because I've had to go through hoops to work out if it was the username of password that was incorrect. Espesially when the site require usernames for login instead of emails.

And speaking of usernames - there are so many sites that require you to user a username where it's completely uncalled for. The username isn't used for anything but login - which is a silly things to require the user to find a unique id when they already have one; their email address! With usernames you never end up having the same username at the various sites, making mutations you cannot remember.

That also compuonds the frustration of not being told what is incorrect when you log in. And I do feel that usuability should prevail and security measures should be made to fit. Surely there are solutions that work just as well as this obfuscation method.