How to tell the user his login credentials are incorrect?

When a user has entered incorrect details into a login form, is it better to tell them:

  • The username or password you have entered is invalid.

or

  • The user name you have entered is invalid (for invalid usernames)
  • The password you have entered is invalid (for valid usernames but invalid passwords).

The first approach "might" be more secure, as the an attacker would not be able to confirm whether the username/email address is valid. At the same time, the user might get frustrated by not being able to remember the email address or username he signed up with.

The second apporach is clearly more user friendly, but an attacker would be able to work out what a valid username/email is, and then launch an attack on guessing the password.

Some examples:

  • Amazon: There was an error with your E-Mail/Password combination. Please try again.
  • Hotmail: That Windows Live ID doesn't exist. Enter a different ID or get a new one. and That password is incorrect. Try again.

Which way should I go about displaying those errors?