“Only the dumbest, laziest hacker is stopped by the “username or password is incorrect” sign in”
Which means it’s not total bullshit. If it stops that group, it has value. A lot of security attacks are lazy and automated, going for low hanging fruit and this best practice perhaps excludes you from being low hanging fruit.
I do agree with your solution for signing up, that’s a good idea to cover more ground.