How bad is exposing valid user names?
In a slow brute force attack, using a large zombie network, exposing this kind of information can help a attacker significantly.
Imaging 10,000 zombie computers trying to log in every once in a while first extracting usernames, when a list of users are 'detected' go for passwords.
Lets say the zombie tries once an hour, that's 240,000 tries a day. The internet is full of database dumps with email addresses and usernames to try.
Here some posts on this subject:
- Is there any reason to show the same message for invalid usernam as password?
- Username and or password invalid why do websites show this kind of message
How bad is exposing valid usernames? If you allow the general public to register, it is unavoidable: an attacker wanting to check whether a username is taken can simply attempt to register with it. In this case, not telling users whether their username or their password was incorrect makes a negligible difference (aside from inconvenience to forgetful users), and you should go ahead and say which it was.