If I enter username_x and password_x as my parameters, and you say "the username is right, but the password is wrong", than as an attacker, I've just learned that a user account exists named username_x.<p>If I'm being malicious, this could give me better access to focus on password cracking, since now I have a known-good account to work against. I might design a system that just goes through a dictionary list of usernames until I get a decent list of users, then loop through them with password attempts.<p>Let's say I'm not an attacker, but an overly curious friend, boy/girl-friend, or employer of a particular user. If I try 'bmelton' as a username on, say, Monster.com, and my employer gets as message saying "the username is right, but the password is wrong", then my employer now knows that I'm a user on Monster.com. That might not be the end of the world, and is easy to explain away, but lets say the website is "hot_chicks_that_aren't_your_wife.com", and your girlfriend finds you have an account on there.<p>This is potentially compounded if you're using email addresses as usernames, since I could easily point to 'some other' Barry Melton[1] and say that 'bmelton' must be his account, but that's harder to pull off if it is my email address.<p>In short, it's a security issue that also happens to be bad UX. Perhaps if your website has no negative connotation (e.g., freekittensforcharity.com), then it doesn't matter, but you're still slightly more vulnerable to password attacks as I described in the first scenario.<p>[1] - <a href="http://www.counterculture.net/thefish/" rel="nofollow">http://www.counterculture.net/thefish/</a>