Why do some sites ask for username/email and password on two separate screens?
Security / Privacy disadvantage
There are security and privacy risks involved with this approach when badly implemented. An attacker could figure out if the email- or login already exists, when not having a default flow. As mentioned @Mario Trucco this can also be done via the registration process.
- Security is at risk: Because it becomes easier for an attacker to bruteforce their way into a system. It will make guessing easier if you only need to guess a password, instead of both the username and password.
- The privacy of users is under scrutiny. (Other people will know if you are listed at that website.)
Reasons why this is implemented
I found this on the Google documentation:
This new Google account sign-in flow will provide the following advantages:
- Preparation for future authentication solutions that complement passwords
- A better experience for SAML SSO users, such as university students or corporate users that sign in with a different identity provider than Google
Security Advantage
- It may enable more personalized customization options for security such as phrases or images providing more security options (see example below). This would reduce the scope of phishing as the screen generated would be specific to the user and would vary from user to user.
- Because users can have different ways of authenticating and the identity of the user is equal to the username this will make it easier server-side to redirect traffic to the users form of authenticating
Example image -v The users sees 'his/her' personal Image or Sound. If that image does not correspond with the image given at registration. The users knows this is a fake login.
Passwords are not a requirement for authentication in some cases.
The username generally determines how and what authenticates a user; in a federated login the username will identify the Identity Provider that will authenticate the user. That ID provider might use a password but is not required to; many alternate login flows can happen passively or use other information (e.g. smart card or other hardware token, biometrics, etc.)
Capturing a password in these scenarios either leads to the user entering the (sensitive) data twice (since Hotmail/Google don't need that info, the ID provider would have to request it a 2nd time) or entering data that is not needed at all.
The other answers have hinted at this but not really, I think, clarified the potential security benefits of a two-step login like this.
Doing things this way allow you to separate out the identification and authentication stages of the login process. Say for example you have an application which has multiple levels of user account with different authentication requirements (e.g. some users have 2FA some just have password auth.) or perhaps something like a portal system with different backend user databases.
By taking the username on screen one, you can then present the correct authentication type for that user on screen two. As mentioned by @ludisposed there is a requirement to have a "default" flow for users who don't exist to avoid revealing valid/invalid usernames to someone who trys to guess valid accounts on the system.