Lazy Security

Just like design is much more than looking pretty, security is much more than being secure. Well designed security should be largely unnoticeable.

Security at the expense of user experience should be a last resort.

It is very common for a login page to return a generic error message irrespective of whether it was the username or password that was wrong. The UX case for distinguishing these cases is clear, users can waste a lot of effort trying several different passwords, forgetting they signed up with a different email address. The security case for not distinguishing them is to mitigate user enumeration.

In practice this rarely adds any real security as the vast majority of these sites do not have a captcha on the signup form and thus the same information is leaked there. This is lazy security, rather than take the neccessary steps to mitigate a bruteforce attack they are attempting (with little success) to reduce the likelihood of a brute force attack at the expense of user experience. It is not just me with this view, both Google and Facebook now distinguish these cases.