Yes, I don't say one should not be careful in design of these systems. I just rant about making a choice that frustrates the legitimate user as well as the attacker, when there could be choices to only frustrate the attacker.

Keeping usernames secret requires a tradeoff. Doing so can frustrate users, who may think they have got their password wrong (and keep retrying it until they get locked out) when actually they have their userid wrong. On the other hand, attackers may have various easy methods available to test usernames independently on many of today's sites, in which case hiding them helps nothing. (Many sites will let you enter usernames to get the password emailed without also asking for the email, for example, or put usernames in public web pages and URLs. In addition, it is very, very common for users to keep the same username over many systems.)