We can expect an active internet user to have accounts in at least 7 to 10 different online services (Facebook, Gmail, Outlook, Twitter, Linked In, SomeBank, YetAnotherBank etc etc). Thats a lot of user name and passwords to remember! Even though most people use email addresses as username, owning multiple email address is not uncommon. In short, its all too easy to forget what your password is, or even worse, what your user name is. At this point, most web sites offer a "recovery" option. But what exactly am I recovering? Is my username wrong? Or is my password wrong? A generic message like the one above: "The user name or password you entered is incorrect" does not help! Now, security experts might argue that being "generic" about username and password errors makes it harder for bad guys to guess usernames by pounding the form with random words or email addresses. But is this really a security risk or just false alarm?
From a usability perspective, if the user name is in incorrect, then its best to have a specific message like : "The user name you entered is incorrect". This will stop users from trying 20 different email/password combinations and just stick to trying different emails. Generic messages might work for popular web sites like Gmail, but other web sites might find them selves turning people off by making them think too hard! Facebook seems to do this right, with an explicit "Forgot your password" message (which is visible at all times) :